From: domg472@gmail.com (Dominick Grift)
Date: Sun, 21 Mar 2010 22:35:25 +0100
Subject: [refpolicy] [ plymouth patch 1/1] Implement plymouth policy.
Message-ID: <20100321213523.GA25421@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


I noticed that Fedoras' patch for plymouth was not adopted yet, and since i want to
merge it to my custom policy i decided to make some modifications to it in the process.

On the off chance that this patch improves chances of it to get adopted i submit it.
Be aware that some modifications i made are purely guess work (it does build though).

When i run refpolicy without the unconfined domain on a Fedora 13 system though, i get many AVC denials for kernel_t
where it is executing plymouth commands somewhere really early in the boot process. I wonder
how Fedora got that to work in say policy-MLS.

Signed-off-by: Dominick Grift <domg472@gmail.com>


---
:100644 100644 0352a19... cc054b5... M	policy/modules/kernel/kernel.if
:100644 100644 2aa3808... ef8f249... M	policy/modules/services/hal.if
:000000 100644 0000000... 0138640... A	policy/modules/services/plymouth.fc
:000000 100644 0000000... d65c7c2... A	policy/modules/services/plymouth.if
:000000 100644 0000000... 5391e59... A	policy/modules/services/plymouth.te
:100644 100644 8dc6d81... 71643bc... M	policy/modules/services/xserver.te
:100644 100644 362614c... 5daaf88... M	policy/modules/system/logging.fc
 policy/modules/kernel/kernel.if     |   19 ++
 policy/modules/services/hal.if      |    2 +-
 policy/modules/services/plymouth.fc |    9 +
 policy/modules/services/plymouth.if |  339 +++++++++++++++++++++++++++++++++++
 policy/modules/services/plymouth.te |  103 +++++++++++
 policy/modules/services/xserver.te  |    5 +
 policy/modules/system/logging.fc    |    1 +
 7 files changed, 477 insertions(+), 1 deletions(-)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 0352a19..cc054b5 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2807,3 +2807,22 @@ interface(`kernel_unconfined',`
 
 	typeattribute $1 kern_unconfined;
 ')
+
+########################################
+## <summary>
+##	Connect to the kernel on a unix 
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_stream_connect',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index 2aa3808..ef8f249 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -115,7 +115,7 @@ interface(`hal_dontaudit_use_fds',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
diff --git a/policy/modules/services/plymouth.fc b/policy/modules/services/plymouth.fc
new file mode 100644
index 0000000..0138640
--- /dev/null
+++ b/policy/modules/services/plymouth.fc
@@ -0,0 +1,9 @@
+/bin/plymouth			--	gen_context(system_u:object_r:plymouth_exec_t, s0)
+
+/sbin/plymouthd			--	gen_context(system_u:object_r:plymouthd_exec_t, s0)
+
+/var/lib/plymouth(/.*)?		gen_context(system_u:object_r:plymouthd_var_lib_t, s0)
+
+/var/run/plymouth(/.*)?		gen_context(system_u:object_r:plymouthd_var_run_t, s0)
+
+/var/spool/plymouth(/.*)?	gen_context(system_u:object_r:plymouthd_spool_t, s0)
diff --git a/policy/modules/services/plymouth.if b/policy/modules/services/plymouth.if
new file mode 100644
index 0000000..d65c7c2
--- /dev/null
+++ b/policy/modules/services/plymouth.if
@@ -0,0 +1,339 @@
+## <summary>Plymouth graphical boot animation and logger.</summary>
+## <desc>
+##	<p>
+##		Plymouth is an application that runs very early in the
+##		boot process (even before the root filesystem is mounted!)
+##		that provides a graphical boot animation while the boot
+##		process happens in the background.
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	plymouthd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans',`
+	gen_require(`
+		type plymouthd_t, plymouthd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
+')
+
+########################################
+## <summary>
+##	Execute the plymouth command in the
+##	current domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec_plymouth',`
+	gen_require(`
+		type plymouth_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, plymouth_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	plymouth.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans_plymouth',`
+	gen_require(`
+		type plymouth_t, plymouth_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, plymouth_exec_t, plymouth_t)
+')
+
+########################################
+## <summary>
+##	Execute the plymouth daemon in the 
+##	current domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec',`
+	gen_require(`
+		type plymouthd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, plymouthd_exec_t)
+')
+
+########################################
+## <summary>
+##	Manage plymouthd var_run files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_manage_var_run',`
+	gen_require(`
+		type plymouthd_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_dirs_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+	manage_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+	manage_lnk_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read plymouthd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_read_pid_files',`
+	gen_require(`
+		type plymouthd_var_run_t;
+	')
+
+	# where is it. If it is in /var/run/plymouth.pid; then we need a fc spec.
+	files_search_pids($1)
+	read_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Search plymouthd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_search_lib',`
+	gen_require(`
+		type plymouthd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 plymouthd_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	plymouthd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_manage_lib_files',`
+	gen_require(`
+		type plymouthd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, plymouthd_var_lib_t,  plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read plymouthd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_read_lib_files',`
+	gen_require(`
+		type plymouthd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage plymouthd var_lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_manage_var_lib',`
+	gen_require(`
+		type plymouthd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+	manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+	manage_lnk_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	plymouthd spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_manage_spool_files',`
+	gen_require(`
+		type plymouthd_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+##	Manage plymouthd spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_manage_spool',`
+	gen_require(`
+		type plymouthd_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_dirs_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+	manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+	manage_lnk_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+##	Read plymouthd spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_read_spool_files',`
+	gen_require(`
+		type plymouthd_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+##	Search plymouthd spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_search_spool',`
+	gen_require(`
+		type plymouthd_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 plymouthd_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an plymouthd environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`plymouthd_admin',`
+	gen_require(`
+		type plymouthd_t;
+	')
+
+	allow $1 plymouthd_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, plymouthd_t, plymouthd_t)
+
+	plymouthd_manage_spool($1)
+	plymouthd_manage_var_lib($1)
+	plymouthd_manage_var_run($1)
+')
+
+########################################
+## <summary>
+##	Connect to Plymouth daemon on 
+##	unix stream socket 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_stream_connect',`
+	gen_require(`
+		type plymouthd_t, plymouthd_spool_t;
+	')
+
+	# Assuming it connects to Plymouthd on a socket.
+	files_search_spool($1)
+	stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
+')
diff --git a/policy/modules/services/plymouth.te b/policy/modules/services/plymouth.te
new file mode 100644
index 0000000..5391e59
--- /dev/null
+++ b/policy/modules/services/plymouth.te
@@ -0,0 +1,103 @@
+
+policy_module(plymouth, 1.0.0) 
+
+########################################
+#
+# Plymouthd personal declarations.
+#
+
+type plymouthd_t;
+type plymouthd_exec_t;
+init_daemon_domain(plymouthd_t, plymouthd_exec_t)
+
+type plymouthd_var_run_t;
+files_pid_file(plymouthd_var_run_t)
+
+type plymouthd_var_lib_t;
+files_type(plymouthd_var_lib_t)
+
+type plymouthd_spool_t;
+files_type(plymouthd_spool_t)
+
+########################################
+#
+# Plymouth personal declarations.
+#
+
+type plymouth_t;
+type plymouth_exec_t;
+application_domain(plymouth_t, plymouth_exec_t)
+
+########################################
+#
+# Plymouthd personal policy.
+#
+
+allow plymouthd_t self:capability { sys_admin sys_tty_config };
+dontaudit plymouthd_t self:capability dac_override;
+allow plymouthd_t self:process signal;
+allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t,  plymouthd_var_run_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t,  plymouthd_var_run_t)
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t,  plymouthd_var_lib_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_lib_t,  plymouthd_var_lib_t)
+
+manage_dirs_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
+manage_files_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
+manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
+
+kernel_change_ring_buffer_level(plymouthd_t)
+kernel_read_system_state(plymouthd_t)
+kernel_request_load_module(plymouthd_t)
+
+dev_read_framebuffer(plymouthd_t)
+dev_read_sysfs(plymouthd_t)
+dev_rw_dri(plymouthd_t)
+dev_write_framebuffer(plymouthd_t)
+
+domain_use_interactive_fds(plymouthd_t)
+
+files_read_etc_files(plymouthd_t)
+files_read_usr_files(plymouthd_t)
+
+miscfiles_manage_fonts_cache(plymouthd_t)
+miscfiles_read_fonts(plymouthd_t)
+miscfiles_read_localization(plymouthd_t)
+
+########################################
+#
+# Plymouth personal policy.
+#
+
+allow plymouth_t self:process signal;
+allow plymouth_t self:fifo_file rw_file_perms;
+allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(plymouth_t)
+kernel_stream_connect(plymouth_t)
+
+domain_use_interactive_fds(plymouth_t)
+
+files_read_etc_files(plymouth_t)
+
+miscfiles_read_localization(plymouth_t)
+
+sysnet_read_config(plymouth_t)
+
+term_use_ptmx(plymouth_t)
+
+plymouthd_stream_connect(plymouth_t)
+
+optional_policy(`
+	lvm_domtrans(plymouth_t)
+')
+
+ifdef(`hide_broken_symptoms',`
+	optional_policy(`
+		hal_dontaudit_rw_pipes(plymouth_t)
+		hal_dontaudit_write_log(plymouth_t)
+	')
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8dc6d81..71643bc 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -543,6 +543,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	plymouthd_exec_plymouth(xdm_t)
+	plymouthd_search_spool(xdm_t)
+')
+
+optional_policy(`
 	resmgr_stream_connect(xdm_t)
 ')
 
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 362614c..5daaf88 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -65,6 +65,7 @@ ifdef(`distro_redhat',`
 
 /var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
 /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
+# Is this still required?
 /var/spool/plymouth/boot.log	gen_context(system_u:object_r:var_log_t,s0)
 /var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
 
-- 
1.7.0.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100321/34180cb4/attachment.bin