1 |
commit: dd202cba6ebbae36b4624a86292253520b1da82b |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Oct 1 08:59:36 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 2 18:07:15 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dd202cba |
7 |
|
8 |
Changes to the fprint policy module and relevant dependencies |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/fprintd.fc | 3 ++- |
16 |
policy/modules/contrib/fprintd.if | 4 ++-- |
17 |
policy/modules/contrib/fprintd.te | 28 ++++++++++++++++------------ |
18 |
policy/modules/contrib/policykit.if | 21 +++++++++++++++++++++ |
19 |
policy/modules/contrib/policykit.te | 2 +- |
20 |
5 files changed, 42 insertions(+), 16 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/contrib/fprintd.fc b/policy/modules/contrib/fprintd.fc |
23 |
index a4f5fb1..d861e88 100644 |
24 |
--- a/policy/modules/contrib/fprintd.fc |
25 |
+++ b/policy/modules/contrib/fprintd.fc |
26 |
@@ -1,2 +1,3 @@ |
27 |
/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0) |
28 |
-/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0) |
29 |
+ |
30 |
+/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0) |
31 |
|
32 |
diff --git a/policy/modules/contrib/fprintd.if b/policy/modules/contrib/fprintd.if |
33 |
index ebad8c4..8081132 100644 |
34 |
--- a/policy/modules/contrib/fprintd.if |
35 |
+++ b/policy/modules/contrib/fprintd.if |
36 |
@@ -1,4 +1,4 @@ |
37 |
-## <summary>DBus fingerprint reader service</summary> |
38 |
+## <summary>DBus fingerprint reader service.</summary> |
39 |
|
40 |
######################################## |
41 |
## <summary> |
42 |
@@ -15,6 +15,7 @@ interface(`fprintd_domtrans',` |
43 |
type fprintd_t, fprintd_exec_t; |
44 |
') |
45 |
|
46 |
+ corecmd_search_bin($1) |
47 |
domtrans_pattern($1, fprintd_exec_t, fprintd_t) |
48 |
') |
49 |
|
50 |
@@ -38,4 +39,3 @@ interface(`fprintd_dbus_chat',` |
51 |
allow $1 fprintd_t:dbus send_msg; |
52 |
allow fprintd_t $1:dbus send_msg; |
53 |
') |
54 |
- |
55 |
|
56 |
diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te |
57 |
index 7df52c7..c81b6e8 100644 |
58 |
--- a/policy/modules/contrib/fprintd.te |
59 |
+++ b/policy/modules/contrib/fprintd.te |
60 |
@@ -1,4 +1,4 @@ |
61 |
-policy_module(fprintd, 1.1.0) |
62 |
+policy_module(fprintd, 1.1.1) |
63 |
|
64 |
######################################## |
65 |
# |
66 |
@@ -7,7 +7,7 @@ policy_module(fprintd, 1.1.0) |
67 |
|
68 |
type fprintd_t; |
69 |
type fprintd_exec_t; |
70 |
-dbus_system_domain(fprintd_t, fprintd_exec_t) |
71 |
+init_daemon_domain(fprintd_t, fprintd_exec_t) |
72 |
|
73 |
type fprintd_var_lib_t; |
74 |
files_type(fprintd_var_lib_t) |
75 |
@@ -17,23 +17,19 @@ files_type(fprintd_var_lib_t) |
76 |
# Local policy |
77 |
# |
78 |
|
79 |
-allow fprintd_t self:capability sys_ptrace; |
80 |
+allow fprintd_t self:capability sys_nice; |
81 |
+allow fprintd_t self:process { getsched setsched signal sigkill }; |
82 |
allow fprintd_t self:fifo_file rw_fifo_file_perms; |
83 |
-allow fprintd_t self:process { getsched signal }; |
84 |
|
85 |
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) |
86 |
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) |
87 |
-files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file }) |
88 |
|
89 |
kernel_read_system_state(fprintd_t) |
90 |
|
91 |
-corecmd_search_bin(fprintd_t) |
92 |
- |
93 |
dev_list_usbfs(fprintd_t) |
94 |
-dev_rw_generic_usb_dev(fprintd_t) |
95 |
dev_read_sysfs(fprintd_t) |
96 |
+dev_rw_generic_usb_dev(fprintd_t) |
97 |
|
98 |
-files_read_etc_files(fprintd_t) |
99 |
files_read_usr_files(fprintd_t) |
100 |
|
101 |
fs_getattr_all_fs(fprintd_t) |
102 |
@@ -46,12 +42,20 @@ userdom_use_user_ptys(fprintd_t) |
103 |
userdom_read_all_users_state(fprintd_t) |
104 |
|
105 |
optional_policy(` |
106 |
- consolekit_dbus_chat(fprintd_t) |
107 |
+ dbus_system_domain(fprintd_t, fprintd_exec_t) |
108 |
+ |
109 |
+ optional_policy(` |
110 |
+ consolekit_dbus_chat(fprintd_t) |
111 |
+ ') |
112 |
+ |
113 |
+ optional_policy(` |
114 |
+ policykit_dbus_chat(fprintd_t) |
115 |
+ policykit_dbus_chat_auth(fprintd_t) |
116 |
+ ') |
117 |
') |
118 |
|
119 |
optional_policy(` |
120 |
+ policykit_domtrans_auth(fprintd_t) |
121 |
policykit_read_reload(fprintd_t) |
122 |
policykit_read_lib(fprintd_t) |
123 |
- policykit_dbus_chat(fprintd_t) |
124 |
- policykit_domtrans_auth(fprintd_t) |
125 |
') |
126 |
|
127 |
diff --git a/policy/modules/contrib/policykit.if b/policy/modules/contrib/policykit.if |
128 |
index 48ff1e8..8aa58e5 100644 |
129 |
--- a/policy/modules/contrib/policykit.if |
130 |
+++ b/policy/modules/contrib/policykit.if |
131 |
@@ -23,6 +23,27 @@ interface(`policykit_dbus_chat',` |
132 |
|
133 |
######################################## |
134 |
## <summary> |
135 |
+## Send and receive messages from |
136 |
+## policykit auth over dbus. |
137 |
+## </summary> |
138 |
+## <param name="domain"> |
139 |
+## <summary> |
140 |
+## Domain allowed access. |
141 |
+## </summary> |
142 |
+## </param> |
143 |
+# |
144 |
+interface(`policykit_dbus_chat_auth',` |
145 |
+ gen_require(` |
146 |
+ type policykit_auth_t; |
147 |
+ class dbus send_msg; |
148 |
+ ') |
149 |
+ |
150 |
+ allow $1 policykit_auth_t:dbus send_msg; |
151 |
+ allow policykit_auth_t $1:dbus send_msg; |
152 |
+') |
153 |
+ |
154 |
+######################################## |
155 |
+## <summary> |
156 |
## Execute a domain transition to run polkit_auth. |
157 |
## </summary> |
158 |
## <param name="domain"> |
159 |
|
160 |
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te |
161 |
index 2c37cce..e76b78f 100644 |
162 |
--- a/policy/modules/contrib/policykit.te |
163 |
+++ b/policy/modules/contrib/policykit.te |
164 |
@@ -1,4 +1,4 @@ |
165 |
-policy_module(policykit, 1.2.2) |
166 |
+policy_module(policykit, 1.2.3) |
167 |
|
168 |
######################################## |
169 |
# |