I noticed that Fedoras' patch for plymouth was not adopted yet, and since i want to
merge it to my custom policy i decided to make some modifications to it in the process.
On the off chance that this patch improves chances of it to get adopted i submit it.
Be aware that some modifications i made are purely guess work (it does build though).
When i run refpolicy without the unconfined domain on a Fedora 13 system though, i get many AVC denials for kernel_t
where it is executing plymouth commands somewhere really early in the boot process. I wonder
how Fedora got that to work in say policy-MLS.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 0352a19... cc054b5... M policy/modules/kernel/kernel.if
:100644 100644 2aa3808... ef8f249... M policy/modules/services/hal.if
:000000 100644 0000000... 0138640... A policy/modules/services/plymouth.fc
:000000 100644 0000000... d65c7c2... A policy/modules/services/plymouth.if
:000000 100644 0000000... 5391e59... A policy/modules/services/plymouth.te
:100644 100644 8dc6d81... 71643bc... M policy/modules/services/xserver.te
:100644 100644 362614c... 5daaf88... M policy/modules/system/logging.fc
policy/modules/kernel/kernel.if | 19 ++
policy/modules/services/hal.if | 2 +-
policy/modules/services/plymouth.fc | 9 +
policy/modules/services/plymouth.if | 339 +++++++++++++++++++++++++++++++++++
policy/modules/services/plymouth.te | 103 +++++++++++
policy/modules/services/xserver.te | 5 +
policy/modules/system/logging.fc | 1 +
7 files changed, 477 insertions(+), 1 deletions(-)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 0352a19..cc054b5 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2807,3 +2807,22 @@ interface(`kernel_unconfined',`
typeattribute $1 kern_unconfined;
')
+
+########################################
+## <summary>
+## Connect to the kernel on a unix
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_stream_connect',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index 2aa3808..ef8f249 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -115,7 +115,7 @@ interface(`hal_dontaudit_use_fds',`
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
diff --git a/policy/modules/services/plymouth.fc b/policy/modules/services/plymouth.fc
new file mode 100644
index 0000000..0138640
--- /dev/null
+++ b/policy/modules/services/plymouth.fc
@@ -0,0 +1,9 @@
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0)
+
+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t, s0)
+
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0)
+
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
+
+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t, s0)
diff --git a/policy/modules/services/plymouth.if b/policy/modules/services/plymouth.if
new file mode 100644
index 0000000..d65c7c2
--- /dev/null
+++ b/policy/modules/services/plymouth.if
@@ -0,0 +1,339 @@
+## <summary>Plymouth graphical boot animation and logger.</summary>
+## <desc>
+## <p>
+## Plymouth is an application that runs very early in the
+## boot process (even before the root filesystem is mounted!)
+## that provides a graphical boot animation while the boot
+## process happens in the background.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## plymouthd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans',`
+ gen_require(`
+ type plymouthd_t, plymouthd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
+')
+
+########################################
+## <summary>
+## Execute the plymouth command in the
+## current domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec_plymouth',`
+ gen_require(`
+ type plymouth_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, plymouth_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## plymouth.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans_plymouth',`
+ gen_require(`
+ type plymouth_t, plymouth_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, plymouth_exec_t, plymouth_t)
+')
+
+########################################
+## <summary>
+## Execute the plymouth daemon in the
+## current domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec',`
+ gen_require(`
+ type plymouthd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, plymouthd_exec_t)
+')
+
+########################################
+## <summary>
+## Manage plymouthd var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_var_run',`
+ gen_require(`
+ type plymouthd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+ manage_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+ manage_lnk_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+')
+
+########################################
+## <summary>
+## Read plymouthd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_read_pid_files',`
+ gen_require(`
+ type plymouthd_var_run_t;
+ ')
+
+ # where is it. If it is in /var/run/plymouth.pid; then we need a fc spec.
+ files_search_pids($1)
+ read_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+')
+
+########################################
+## <summary>
+## Search plymouthd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_search_lib',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 plymouthd_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## plymouthd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_lib_files',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read plymouthd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_read_lib_files',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage plymouthd var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_var_lib',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ manage_lnk_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## plymouthd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_spool_files',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## Manage plymouthd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_spool',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+ manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+ manage_lnk_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## Read plymouthd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_read_spool_files',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## Search plymouthd spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_search_spool',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 plymouthd_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an plymouthd environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`plymouthd_admin',`
+ gen_require(`
+ type plymouthd_t;
+ ')
+
+ allow $1 plymouthd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, plymouthd_t, plymouthd_t)
+
+ plymouthd_manage_spool($1)
+ plymouthd_manage_var_lib($1)
+ plymouthd_manage_var_run($1)
+')
+
+########################################
+## <summary>
+## Connect to Plymouth daemon on
+## unix stream socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_stream_connect',`
+ gen_require(`
+ type plymouthd_t, plymouthd_spool_t;
+ ')
+
+ # Assuming it connects to Plymouthd on a socket.
+ files_search_spool($1)
+ stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
+')
diff --git a/policy/modules/services/plymouth.te b/policy/modules/services/plymouth.te
new file mode 100644
index 0000000..5391e59
--- /dev/null
+++ b/policy/modules/services/plymouth.te
@@ -0,0 +1,103 @@
+
+policy_module(plymouth, 1.0.0)
+
+########################################
+#
+# Plymouthd personal declarations.
+#
+
+type plymouthd_t;
+type plymouthd_exec_t;
+init_daemon_domain(plymouthd_t, plymouthd_exec_t)
+
+type plymouthd_var_run_t;
+files_pid_file(plymouthd_var_run_t)
+
+type plymouthd_var_lib_t;
+files_type(plymouthd_var_lib_t)
+
+type plymouthd_spool_t;
+files_type(plymouthd_spool_t)
+
+########################################
+#
+# Plymouth personal declarations.
+#
+
+type plymouth_t;
+type plymouth_exec_t;
+application_domain(plymouth_t, plymouth_exec_t)
+
+########################################
+#
+# Plymouthd personal policy.
+#
+
+allow plymouthd_t self:capability { sys_admin sys_tty_config };
+dontaudit plymouthd_t self:capability dac_override;
+allow plymouthd_t self:process signal;
+allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+
+manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+
+kernel_change_ring_buffer_level(plymouthd_t)
+kernel_read_system_state(plymouthd_t)
+kernel_request_load_module(plymouthd_t)
+
+dev_read_framebuffer(plymouthd_t)
+dev_read_sysfs(plymouthd_t)
+dev_rw_dri(plymouthd_t)
+dev_write_framebuffer(plymouthd_t)
+
+domain_use_interactive_fds(plymouthd_t)
+
+files_read_etc_files(plymouthd_t)
+files_read_usr_files(plymouthd_t)
+
+miscfiles_manage_fonts_cache(plymouthd_t)
+miscfiles_read_fonts(plymouthd_t)
+miscfiles_read_localization(plymouthd_t)
+
+########################################
+#
+# Plymouth personal policy.
+#
+
+allow plymouth_t self:process signal;
+allow plymouth_t self:fifo_file rw_file_perms;
+allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(plymouth_t)
+kernel_stream_connect(plymouth_t)
+
+domain_use_interactive_fds(plymouth_t)
+
+files_read_etc_files(plymouth_t)
+
+miscfiles_read_localization(plymouth_t)
+
+sysnet_read_config(plymouth_t)
+
+term_use_ptmx(plymouth_t)
+
+plymouthd_stream_connect(plymouth_t)
+
+optional_policy(`
+ lvm_domtrans(plymouth_t)
+')
+
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ hal_dontaudit_rw_pipes(plymouth_t)
+ hal_dontaudit_write_log(plymouth_t)
+ ')
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8dc6d81..71643bc 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -543,6 +543,11 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_exec_plymouth(xdm_t)
+ plymouthd_search_spool(xdm_t)
+')
+
+optional_policy(`
resmgr_stream_connect(xdm_t)
')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 362614c..5daaf88 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -65,6 +65,7 @@ ifdef(`distro_redhat',`
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
+# Is this still required?
/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100321/34180cb4/attachment.bin