1 |
commit: f18e2cf0e7b93e4f5a3a0afaff70aa787ae9dfac |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Wed Oct 31 08:05:21 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Oct 31 18:04:17 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f18e2cf0 |
7 |
|
8 |
Changes to the vdagent policy module |
9 |
|
10 |
Add init script file |
11 |
Ported from Fedora with changes |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/vdagent.fc | 4 +++- |
17 |
policy/modules/contrib/vdagent.if | 30 ++++++++++++++++++++---------- |
18 |
policy/modules/contrib/vdagent.te | 27 +++++++++++++++++++-------- |
19 |
3 files changed, 42 insertions(+), 19 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/vdagent.fc b/policy/modules/contrib/vdagent.fc |
22 |
index 394e9b3..45b6dde 100644 |
23 |
--- a/policy/modules/contrib/vdagent.fc |
24 |
+++ b/policy/modules/contrib/vdagent.fc |
25 |
@@ -1,7 +1,9 @@ |
26 |
+/etc/rc\.d/init\.d/spice-vdagentd -- gen_context(system_u:object_r:vdagentd_initrc_exec_t,s0) |
27 |
+ |
28 |
/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0) |
29 |
|
30 |
/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) |
31 |
-/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0) |
32 |
+/var/log/spice-vdagentd\.log.* -- gen_context(system_u:object_r:vdagent_log_t,s0) |
33 |
|
34 |
/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) |
35 |
/var/run/spice-vdagentd\.pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0) |
36 |
|
37 |
diff --git a/policy/modules/contrib/vdagent.if b/policy/modules/contrib/vdagent.if |
38 |
index e59a074..31c752e 100644 |
39 |
--- a/policy/modules/contrib/vdagent.if |
40 |
+++ b/policy/modules/contrib/vdagent.if |
41 |
@@ -1,4 +1,4 @@ |
42 |
-## <summary>policy for vdagent</summary> |
43 |
+## <summary>Spice agent for Linux.</summary> |
44 |
|
45 |
######################################## |
46 |
## <summary> |
47 |
@@ -15,12 +15,13 @@ interface(`vdagent_domtrans',` |
48 |
type vdagent_t, vdagent_exec_t; |
49 |
') |
50 |
|
51 |
+ corecmd_search_bin($1) |
52 |
domtrans_pattern($1, vdagent_exec_t, vdagent_t) |
53 |
') |
54 |
|
55 |
##################################### |
56 |
## <summary> |
57 |
-## Getattr on vdagent executable. |
58 |
+## Get attributes of vdagent executable files. |
59 |
## </summary> |
60 |
## <param name="domain"> |
61 |
## <summary> |
62 |
@@ -33,12 +34,12 @@ interface(`vdagent_getattr_exec_files',` |
63 |
type vdagent_exec_t; |
64 |
') |
65 |
|
66 |
- allow $1 vdagent_exec_t:file getattr; |
67 |
+ allow $1 vdagent_exec_t:file getattr_file_perms; |
68 |
') |
69 |
|
70 |
####################################### |
71 |
## <summary> |
72 |
-## Get the attributes of vdagent logs. |
73 |
+## Get attributes of vdagent log files. |
74 |
## </summary> |
75 |
## <param name="domain"> |
76 |
## <summary> |
77 |
@@ -57,7 +58,7 @@ interface(`vdagent_getattr_log',` |
78 |
|
79 |
######################################## |
80 |
## <summary> |
81 |
-## Read vdagent PID files. |
82 |
+## Read vdagent pid files. |
83 |
## </summary> |
84 |
## <param name="domain"> |
85 |
## <summary> |
86 |
@@ -76,8 +77,8 @@ interface(`vdagent_read_pid_files',` |
87 |
|
88 |
##################################### |
89 |
## <summary> |
90 |
-## Connect to vdagent over a unix domain |
91 |
-## stream socket. |
92 |
+## Connect to vdagent with a unix |
93 |
+## domain stream socket. |
94 |
## </summary> |
95 |
## <param name="domain"> |
96 |
## <summary> |
97 |
@@ -96,8 +97,8 @@ interface(`vdagent_stream_connect',` |
98 |
|
99 |
######################################## |
100 |
## <summary> |
101 |
-## All of the rules required to administrate |
102 |
-## an vdagent environment |
103 |
+## All of the rules required to |
104 |
+## administrate an vdagent environment. |
105 |
## </summary> |
106 |
## <param name="domain"> |
107 |
## <summary> |
108 |
@@ -113,12 +114,21 @@ interface(`vdagent_stream_connect',` |
109 |
# |
110 |
interface(`vdagent_admin',` |
111 |
gen_require(` |
112 |
- type vdagent_t, vdagent_var_run_t; |
113 |
+ type vdagent_t, vdagent_var_run_t, vdagentd_initrc_exec_t; |
114 |
+ type vdagent_log_t; |
115 |
') |
116 |
|
117 |
allow $1 vdagent_t:process signal_perms; |
118 |
ps_process_pattern($1, vdagent_t) |
119 |
|
120 |
+ init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) |
121 |
+ domain_system_change_exemption($1) |
122 |
+ role_transition $2 vdagentd_initrc_exec_t system_r; |
123 |
+ allow $2 system_r; |
124 |
+ |
125 |
+ logging_search_logs($1) |
126 |
+ admin_pattern($1, vdagent_log_t) |
127 |
+ |
128 |
files_search_pids($1) |
129 |
admin_pattern($1, vdagent_var_run_t) |
130 |
') |
131 |
|
132 |
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te |
133 |
index 57578ae..77be35a 100644 |
134 |
--- a/policy/modules/contrib/vdagent.te |
135 |
+++ b/policy/modules/contrib/vdagent.te |
136 |
@@ -1,4 +1,4 @@ |
137 |
-policy_module(vdagent, 1.0.1) |
138 |
+policy_module(vdagent, 1.0.2) |
139 |
|
140 |
######################################## |
141 |
# |
142 |
@@ -9,6 +9,9 @@ type vdagent_t; |
143 |
type vdagent_exec_t; |
144 |
init_daemon_domain(vdagent_t, vdagent_exec_t) |
145 |
|
146 |
+type vdagentd_initrc_exec_t; |
147 |
+init_script_file(vdagentd_initrc_exec_t) |
148 |
+ |
149 |
type vdagent_var_run_t; |
150 |
files_pid_file(vdagent_var_run_t) |
151 |
|
152 |
@@ -17,13 +20,13 @@ logging_log_file(vdagent_log_t) |
153 |
|
154 |
######################################## |
155 |
# |
156 |
-# vdagent local policy |
157 |
+# Local policy |
158 |
# |
159 |
|
160 |
dontaudit vdagent_t self:capability sys_admin; |
161 |
- |
162 |
+allow vdagent_t self:process signal; |
163 |
allow vdagent_t self:fifo_file rw_fifo_file_perms; |
164 |
-allow vdagent_t self:unix_stream_socket create_stream_socket_perms; |
165 |
+allow vdagent_t self:unix_stream_socket { accept listen }; |
166 |
|
167 |
manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) |
168 |
manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) |
169 |
@@ -31,7 +34,9 @@ manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) |
170 |
files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file }) |
171 |
|
172 |
manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) |
173 |
-manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) |
174 |
+append_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) |
175 |
+create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) |
176 |
+setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) |
177 |
logging_log_filetrans(vdagent_t, vdagent_log_t, file) |
178 |
|
179 |
dev_rw_input_dev(vdagent_t) |
180 |
@@ -40,12 +45,18 @@ dev_dontaudit_write_mtrr(vdagent_t) |
181 |
|
182 |
files_read_etc_files(vdagent_t) |
183 |
|
184 |
+init_read_state(vdagent_t) |
185 |
+ |
186 |
+logging_send_syslog_msg(vdagent_t) |
187 |
+ |
188 |
miscfiles_read_localization(vdagent_t) |
189 |
|
190 |
-optional_policy(` |
191 |
- consolekit_dbus_chat(vdagent_t) |
192 |
-') |
193 |
+userdom_read_all_users_state(vdagent_t) |
194 |
|
195 |
optional_policy(` |
196 |
dbus_system_bus_client(vdagent_t) |
197 |
+ |
198 |
+ optional_policy(` |
199 |
+ consolekit_dbus_chat(vdagent_t) |
200 |
+ ') |
201 |
') |