1 |
commit: 69ad7c3bc5fc98a33968fe6b615e1b93ee66ccd7 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Sep 28 10:59:44 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Sep 28 17:48:13 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=69ad7c3b |
7 |
|
8 |
Changes to the dmidecode policy module |
9 |
|
10 |
Add a file context specification for biosdecode |
11 |
Use role attributes |
12 |
Module clean up |
13 |
|
14 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
15 |
|
16 |
--- |
17 |
policy/modules/contrib/dmidecode.fc | 2 +- |
18 |
policy/modules/contrib/dmidecode.if | 17 +++++++---------- |
19 |
policy/modules/contrib/dmidecode.te | 8 +++++--- |
20 |
3 files changed, 13 insertions(+), 14 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/contrib/dmidecode.fc b/policy/modules/contrib/dmidecode.fc |
23 |
index 016e6b8..c394e45 100644 |
24 |
--- a/policy/modules/contrib/dmidecode.fc |
25 |
+++ b/policy/modules/contrib/dmidecode.fc |
26 |
@@ -1,4 +1,4 @@ |
27 |
- |
28 |
+/usr/sbin/biosdecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) |
29 |
/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) |
30 |
/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0) |
31 |
/usr/sbin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) |
32 |
|
33 |
diff --git a/policy/modules/contrib/dmidecode.if b/policy/modules/contrib/dmidecode.if |
34 |
index 4bf435c..41c3f67 100644 |
35 |
--- a/policy/modules/contrib/dmidecode.if |
36 |
+++ b/policy/modules/contrib/dmidecode.if |
37 |
@@ -15,18 +15,15 @@ interface(`dmidecode_domtrans',` |
38 |
type dmidecode_t, dmidecode_exec_t; |
39 |
') |
40 |
|
41 |
- domain_auto_trans($1, dmidecode_exec_t, dmidecode_t) |
42 |
- |
43 |
- allow $1 dmidecode_t:fd use; |
44 |
- allow dmidecode_t $1:fd use; |
45 |
- allow dmidecode_t $1:fifo_file rw_file_perms; |
46 |
- allow dmidecode_t $1:process sigchld; |
47 |
+ corecmd_search_bin($1) |
48 |
+ domtrans_pattern($1, dmidecode_exec_t, dmidecode_t) |
49 |
') |
50 |
|
51 |
######################################## |
52 |
## <summary> |
53 |
-## Execute dmidecode in the dmidecode domain, and |
54 |
-## allow the specified role the dmidecode domain. |
55 |
+## Execute dmidecode in the dmidecode |
56 |
+## domain, and allow the specified |
57 |
+## role the dmidecode domain. |
58 |
## </summary> |
59 |
## <param name="domain"> |
60 |
## <summary> |
61 |
@@ -42,9 +39,9 @@ interface(`dmidecode_domtrans',` |
62 |
# |
63 |
interface(`dmidecode_run',` |
64 |
gen_require(` |
65 |
- type dmidecode_t; |
66 |
+ attribute_role dmidecode_roles; |
67 |
') |
68 |
|
69 |
dmidecode_domtrans($1) |
70 |
- role $2 types dmidecode_t; |
71 |
+ roleattribute $2 dmidecode_roles; |
72 |
') |
73 |
|
74 |
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te |
75 |
index d6356b5..c947c2c 100644 |
76 |
--- a/policy/modules/contrib/dmidecode.te |
77 |
+++ b/policy/modules/contrib/dmidecode.te |
78 |
@@ -1,14 +1,17 @@ |
79 |
-policy_module(dmidecode, 1.4.0) |
80 |
+policy_module(dmidecode, 1.4.1) |
81 |
|
82 |
######################################## |
83 |
# |
84 |
# Declarations |
85 |
# |
86 |
|
87 |
+attribute_role dmidecode_roles; |
88 |
+roleattribute system_r dmidecode_roles; |
89 |
+ |
90 |
type dmidecode_t; |
91 |
type dmidecode_exec_t; |
92 |
application_domain(dmidecode_t, dmidecode_exec_t) |
93 |
-role system_r types dmidecode_t; |
94 |
+role dmidecode_roles types dmidecode_t; |
95 |
|
96 |
######################################## |
97 |
# |
98 |
@@ -18,7 +21,6 @@ role system_r types dmidecode_t; |
99 |
allow dmidecode_t self:capability sys_rawio; |
100 |
|
101 |
dev_read_sysfs(dmidecode_t) |
102 |
-# Allow dmidecode to read /dev/mem |
103 |
dev_read_raw_memory(dmidecode_t) |
104 |
|
105 |
mls_file_read_all_levels(dmidecode_t) |