From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 25 Jun 2010 09:52:00 -0400 Subject: [refpolicy] [ hddtemp patch 1/1] hddtemp fixes. In-Reply-To: <20100623100022.GA6189@localhost.localdomain> References: <20100623100022.GA6189@localhost.localdomain> Message-ID: <1277473920.6739.2.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2010-06-23 at 06:00 -0400, Dominick Grift wrote: > Clean up network control section. > Implement hddtemp_etc_t for /etc/sysconfig/hddtemp. The advantages > are: > - hddtemp_t no longer needs access to read all generic etc_t files. > - allows us to implement a meaningful hddtemp_admin() Merged. > Signed-off-by: Dominick Grift > --- > :100644 100644 67ea7b6... d81eb37... M > policy/modules/services/hddtemp.fc > :100644 100644 af25134... fde2c3d... M > policy/modules/services/hddtemp.if > :100644 100644 49c095c... d67a8a7... M > policy/modules/services/hddtemp.te > policy/modules/services/hddtemp.fc | 4 ++- > policy/modules/services/hddtemp.if | 50 > ++++++++++++++++++++++++++++++++--- > policy/modules/services/hddtemp.te | 16 ++++++++++- > 3 files changed, 62 insertions(+), 8 deletions(-) > > diff --git a/policy/modules/services/hddtemp.fc > b/policy/modules/services/hddtemp.fc > index 67ea7b6..d81eb37 100644 > --- a/policy/modules/services/hddtemp.fc > +++ b/policy/modules/services/hddtemp.fc > @@ -1,3 +1,5 @@ > /etc/rc\.d/init\.d/hddtemp -- > gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0) > > -/usr/sbin/hddtemp -- > gen_context(system_u:object_r:hddtemp_exec_t,s0) > +/etc/sysconfig/hddtemp -- > gen_context(system_u:object_r:hddtemp_etc_t,s0) > + > +/usr/sbin/hddtemp -- > gen_context(system_u:object_r:hddtemp_exec_t,s0) > diff --git a/policy/modules/services/hddtemp.if > b/policy/modules/services/hddtemp.if > index af25134..fde2c3d 100644 > --- a/policy/modules/services/hddtemp.if > +++ b/policy/modules/services/hddtemp.if > @@ -1,12 +1,13 @@ > -## hddtemp hard disk temperature tool running as a > daemon > +## hddtemp hard disk temperature tool running as a > daemon. > > ####################################### > ## > -## Execute hddtemp in the hddtemp domain. > +## Execute a domain transition to run > +## hddtemp. > ## > ## > ## > -## Domain allowed access. > +## Domain allowed to transition. > ## > ## > # > @@ -15,13 +16,13 @@ interface(`hddtemp_domtrans',` > type hddtemp_t, hddtemp_exec_t; > ') > > - corecmd_search_bin($1) > domtrans_pattern($1, hddtemp_exec_t, hddtemp_t) > + corecmd_search_bin($1) > ') > > ###################################### > ## > -## Execute hddtemp > +## Execute hddtemp. > ## > ## > ## > @@ -35,4 +36,43 @@ interface(`hddtemp_exec',` > ') > > can_exec($1, hddtemp_exec_t) > + corecmd_search_bin($1) > +') > + > +######################################## > +## > +## All of the rules required to > +## administrate an hddtemp environment. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`hddtemp_admin',` > + gen_require(` > + type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; > + ') > + > + allow $1 hddtemp_t:process { ptrace signal_perms }; > + ps_process_pattern($1, hddtemp_t) > + > + init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) > + domain_system_change_exemption($1) > + role_transition $2 hddtemp_initrc_exec_t system_r; > + allow $2 system_r; > + > + admin_pattern($1, hddtemp_etc_t) > + files_search_etc($1) > + > + allow $1 hddtemp_t:dir list_dir_perms; > + read_lnk_files_pattern($1, hddtemp_t, hddtemp_t) > + kernel_search_proc($1) > ') > diff --git a/policy/modules/services/hddtemp.te > b/policy/modules/services/hddtemp.te > index 49c095c..d67a8a7 100644 > --- a/policy/modules/services/hddtemp.te > +++ b/policy/modules/services/hddtemp.te > @@ -12,6 +12,9 @@ init_daemon_domain(hddtemp_t, hddtemp_exec_t) > type hddtemp_initrc_exec_t; > init_script_file(hddtemp_initrc_exec_t) > > +type hddtemp_etc_t; > +files_config_file(hddtemp_etc_t) > + > ######################################## > # > # hddtemp local policy > @@ -23,10 +26,19 @@ allow hddtemp_t self:netlink_route_socket > r_netlink_socket_perms; > allow hddtemp_t self:tcp_socket create_stream_socket_perms; > allow hddtemp_t self:udp_socket create_socket_perms; > > -corenet_tcp_bind_all_nodes(hddtemp_t) > +allow hddtemp_t hddtemp_etc_t:file read_file_perms; > + > +corenet_all_recvfrom_unlabeled(hddtemp_t) > +corenet_all_recvfrom_netlabel(hddtemp_t) > +corenet_tcp_sendrecv_generic_if(hddtemp_t) > +corenet_tcp_sendrecv_generic_node(hddtemp_t) > +corenet_tcp_bind_generic_node(hddtemp_t) > +corenet_tcp_sendrecv_all_ports(hddtemp_t) > corenet_tcp_bind_hddtemp_port(hddtemp_t) > +corenet_sendrecv_hddtemp_server_packets(hddtemp_t) > +corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) > > -# read hddtemp db file > +files_search_etc(hddtemp_t) > files_read_usr_files(hddtemp_t) > > storage_raw_read_fixed_disk(hddtemp_t) > -- > 1.7.0.1 > > > > plain text document attachment (ATT33393.txt) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com