From: domg472@gmail.com (Dominick Grift) Date: Tue, 26 Oct 2010 14:41:31 +0200 Subject: [refpolicy] Adding support for the vlock program In-Reply-To: References: Message-ID: <20101026124130.GE25458@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Oct 26, 2010 at 09:40:52AM +0000, TaurusHarry wrote: > > Hi refpolicy experts, > > I have tried to developed a vlock.pp in order to run the vlock program(2.2.2 version) on top of the latest refpolicy git tree, please see the attachment. > > I am testing on a qemu environment, the system administrator and unprivileged user could login from serial console or by ssh, both could use the vlock command to lock his current console successfully. > > How could I contribute it back to the refpolicy git tree? > > Any comment is greatly appreciated! Some more pretty insignificant cosmetic suggestions inline. > > Best regards, > Harry > > From ad4692423bcb1e10d5b9f146eab86de09b37dbb3 Mon Sep 17 00:00:00 2001 > From: Harry Ciao > Date: Tue, 26 Oct 2010 14:34:11 +0800 > Subject: [PATCH] Adding support for the vlock program > > Adding support for the vlock program. > > Tested on vlock-2.2.2, both system administrator and unprivileged user > could make use of vlock to lock his console successfully. > > Signed-off-by: Harry Ciao > --- > policy/modules/apps/vlock.fc | 1 + > policy/modules/apps/vlock.if | 48 ++++++++++++++++++++++++++ > policy/modules/apps/vlock.te | 63 +++++++++++++++++++++++++++++++++++ > policy/modules/system/userdomain.if | 2 + > 4 files changed, 114 insertions(+), 0 deletions(-) > create mode 100644 policy/modules/apps/vlock.fc > create mode 100644 policy/modules/apps/vlock.if > create mode 100644 policy/modules/apps/vlock.te > > diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc > new file mode 100644 > index 0000000..621d5fd > --- /dev/null > +++ b/policy/modules/apps/vlock.fc > @@ -0,0 +1 @@ > +/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) > diff --git a/policy/modules/apps/vlock.if b/policy/modules/apps/vlock.if > new file mode 100644 > index 0000000..259575e > --- /dev/null > +++ b/policy/modules/apps/vlock.if > @@ -0,0 +1,48 @@ > +## Policy for the vlock program. Try to put something meaningful in the summary we already know its policy so thats redundant. try something like: "Lock one or more sessions on the Linux console." > + > +####################################### > +## > +## Execute vlock in the vlock domain. > +## > +## > +## > +## Domain allowed access. Domain allowed to transition. > +## > +## > +# > +interface(`vlock_domtrans_vlock',` > + gen_require(` > + type vlock_t, vlock_exec_t; > + ') > + > + files_search_usr($1) > + corecmd_search_bin($1) > + domtrans_pattern($1, vlock_exec_t, vlock_t) > +') > + > +######################################## > +## > +## Execute vlock in the vlock domain, and > +## allow the specified role the vlock domain, > +## and use the caller's terminal. That use the callers terminal is not applicable here. > +## > +## > +## > +## Domain allowed access. Again: Domain allowed to transition. > +## > +## > +## > +## > +## The role to be allowed the vlock domain. We currently use just: Role allowed access. > +## > +## > +## > +# > +interface(`vlock_run_vlock',` > + gen_require(` > + type vlock_t; > + ') > + > + vlock_domtrans_vlock($1) > + role $2 types vlock_t; > +') > diff --git a/policy/modules/apps/vlock.te b/policy/modules/apps/vlock.te > new file mode 100644 > index 0000000..f0fa315 > --- /dev/null > +++ b/policy/modules/apps/vlock.te > @@ -0,0 +1,63 @@ > +policy_module(vlock, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type vlock_t; > +type vlock_exec_t; > +application_domain(vlock_t,vlock_exec_t) > + > + > +######################################## > +# > +# Vlock local policy > +# > + > +allow vlock_t self:fd use; > +allow vlock_t self:fifo_file rw_fifo_file_perms; > +allow vlock_t self:unix_dgram_socket { create connect }; > +allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; > + > +# dont audit the failed attempt of vlock_t to setuid/setgid, because > +# 1. we used --enable_pam for vlock to use PAM to authenticate passwd > +# 2. no guarantee that to make vlock setuid is safe > +dontaudit vlock_t self:capability { setuid setgid }; > + > +kernel_read_system_state(vlock_t) > + > +corecmd_list_bin(vlock_t) > +corecmd_read_bin_symlinks(vlock_t) > + > +files_read_etc_files(vlock_t) > +files_read_var_files(vlock_t) > +files_read_var_symlinks(vlock_t) > + > +init_rw_utmp(vlock_t) > + > +term_use_all_user_ttys(vlock_t) > +term_use_all_user_ptys(vlock_t) > +userdom_use_user_terminals(vlock_t) > + > +# Must call this interface otherwise PAM session will fail > +# with message of "terminal=? res=failed" > +domain_use_interactive_fds(vlock_t) > + > +auth_domtrans_chk_passwd(vlock_t) > + > +miscfiles_read_localization(vlock_t) > + > +logging_send_syslog_msg(vlock_t) > + > +selinux_getattr_fs(vlock_t) > + > +# When MLS enabled and vlock PAM config file using pam_tally2 module, > +# if the caller's security level is > s0, the vlock domain should be able > +# to write into /var/log/tallylog file which is s0. > +mls_file_write_all_levels(vlock_t) > + > +# vlock could be used successfully without the search permissions on > +# home_root_t or user_home_dir_t, suppress the related error messages. > +files_dontaudit_search_home(vlock_t) > +userdom_dontaudit_search_user_home_dirs(vlock_t) > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index 35f1476..d1bd453 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -565,6 +565,8 @@ template(`userdom_common_user_template',` > # to this one. > seutil_dontaudit_signal_newrole($1_t) > > + vlock_run_vlock($1_t,$1_r) > + > tunable_policy(`user_direct_mouse',` > dev_read_mouse($1_t) > ') > -- > 1.7.0.4 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/8e0bd33e/attachment.bin