From: domg472@gmail.com (Dominick Grift) Date: Wed, 27 Oct 2010 12:32:21 +0200 Subject: [refpolicy] Adding support for the vlock program In-Reply-To: References: , <20101026124130.GE25458@localhost.localdomain> Message-ID: <4CC7FFB5.3070600@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/27/2010 10:58 AM, TaurusHarry wrote: > > Hi Dom, > > Many thanks for your reviewing my patch, I have integrated your suggestions and the attached is the v1 version for the vlock.pp. looks like you have missed my first reply with suggestions: http://oss.tresys.com/pipermail/refpolicy/2010-October/003425.html: > Thanks again, > Harry > > > > Date: Tue, 26 Oct 2010 14:41:31 +0200 > From: domg472 at gmail.com > To: refpolicy at oss.tresys.com > Subject: Re: [refpolicy] Adding support for the vlock program > > On Tue, Oct 26, 2010 at 09:40:52AM +0000, TaurusHarry wrote: >> >> Hi refpolicy experts, >> >> I have tried to developed a vlock.pp in order to run the vlock program(2.2.2 version) on top of the latest refpolicy git tree, please see the attachment. >> >> I am testing on a qemu environment, the system administrator and unprivileged user could login from serial console or by ssh, both could use the vlock command to lock his current console successfully. >> >> How could I contribute it back to the refpolicy git tree? >> >> Any comment is greatly appreciated! > > Some more pretty insignificant cosmetic suggestions inline. >> >> Best regards, >> Harry >> > >> From ad4692423bcb1e10d5b9f146eab86de09b37dbb3 Mon Sep 17 00:00:00 2001 >> From: Harry Ciao >> Date: Tue, 26 Oct 2010 14:34:11 +0800 >> Subject: [PATCH] Adding support for the vlock program >> >> Adding support for the vlock program. >> >> Tested on vlock-2.2.2, both system administrator and unprivileged user >> could make use of vlock to lock his console successfully. >> >> Signed-off-by: Harry Ciao >> --- >> policy/modules/apps/vlock.fc | 1 + >> policy/modules/apps/vlock.if | 48 ++++++++++++++++++++++++++ >> policy/modules/apps/vlock.te | 63 +++++++++++++++++++++++++++++++++++ >> policy/modules/system/userdomain.if | 2 + >> 4 files changed, 114 insertions(+), 0 deletions(-) >> create mode 100644 policy/modules/apps/vlock.fc >> create mode 100644 policy/modules/apps/vlock.if >> create mode 100644 policy/modules/apps/vlock.te >> >> diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc >> new file mode 100644 >> index 0000000..621d5fd >> --- /dev/null >> +++ b/policy/modules/apps/vlock.fc >> @@ -0,0 +1 @@ >> +/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) >> diff --git a/policy/modules/apps/vlock.if b/policy/modules/apps/vlock.if >> new file mode 100644 >> index 0000000..259575e >> --- /dev/null >> +++ b/policy/modules/apps/vlock.if >> @@ -0,0 +1,48 @@ >> +## Policy for the vlock program. > > Try to put something meaningful in the summary we already know its policy so thats redundant. try something like: > > "Lock one or more sessions on the Linux console." > >> + >> +####################################### >> +## >> +## Execute vlock in the vlock domain. >> +## >> +## >> +## >> +## Domain allowed access. > > Domain allowed to transition. >> +## >> +## >> +# >> +interface(`vlock_domtrans_vlock',` >> + gen_require(` >> + type vlock_t, vlock_exec_t; >> + ') >> + >> + files_search_usr($1) >> + corecmd_search_bin($1) >> + domtrans_pattern($1, vlock_exec_t, vlock_t) >> +') >> + >> +######################################## >> +## >> +## Execute vlock in the vlock domain, and >> +## allow the specified role the vlock domain, >> +## and use the caller's terminal. > > That use the callers terminal is not applicable here. > >> +## >> +## >> +## >> +## Domain allowed access. > > Again: Domain allowed to transition. >> +## >> +## >> +## >> +## >> +## The role to be allowed the vlock domain. > > We currently use just: Role allowed access. >> +## >> +## >> +## >> +# >> +interface(`vlock_run_vlock',` >> + gen_require(` >> + type vlock_t; >> + ') >> + >> + vlock_domtrans_vlock($1) >> + role $2 types vlock_t; >> +') >> diff --git a/policy/modules/apps/vlock.te b/policy/modules/apps/vlock.te >> new file mode 100644 >> index 0000000..f0fa315 >> --- /dev/null >> +++ b/policy/modules/apps/vlock.te >> @@ -0,0 +1,63 @@ >> +policy_module(vlock, 1.0.0) >> + >> +######################################## >> +# >> +# Declarations >> +# >> + >> +type vlock_t; >> +type vlock_exec_t; >> +application_domain(vlock_t,vlock_exec_t) >> + >> + >> +######################################## >> +# >> +# Vlock local policy >> +# >> + >> +allow vlock_t self:fd use; >> +allow vlock_t self:fifo_file rw_fifo_file_perms; >> +allow vlock_t self:unix_dgram_socket { create connect }; >> +allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; >> + >> +# dont audit the failed attempt of vlock_t to setuid/setgid, because >> +# 1. we used --enable_pam for vlock to use PAM to authenticate passwd >> +# 2. no guarantee that to make vlock setuid is safe >> +dontaudit vlock_t self:capability { setuid setgid }; >> + >> +kernel_read_system_state(vlock_t) >> + >> +corecmd_list_bin(vlock_t) >> +corecmd_read_bin_symlinks(vlock_t) >> + >> +files_read_etc_files(vlock_t) >> +files_read_var_files(vlock_t) >> +files_read_var_symlinks(vlock_t) >> + >> +init_rw_utmp(vlock_t) >> + >> +term_use_all_user_ttys(vlock_t) >> +term_use_all_user_ptys(vlock_t) >> +userdom_use_user_terminals(vlock_t) >> + >> +# Must call this interface otherwise PAM session will fail >> +# with message of "terminal=? res=failed" >> +domain_use_interactive_fds(vlock_t) >> + >> +auth_domtrans_chk_passwd(vlock_t) >> + >> +miscfiles_read_localization(vlock_t) >> + >> +logging_send_syslog_msg(vlock_t) >> + >> +selinux_getattr_fs(vlock_t) >> + >> +# When MLS enabled and vlock PAM config file using pam_tally2 module, >> +# if the caller's security level is > s0, the vlock domain should be able >> +# to write into /var/log/tallylog file which is s0. >> +mls_file_write_all_levels(vlock_t) >> + >> +# vlock could be used successfully without the search permissions on >> +# home_root_t or user_home_dir_t, suppress the related error messages. >> +files_dontaudit_search_home(vlock_t) >> +userdom_dontaudit_search_user_home_dirs(vlock_t) >> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if >> index 35f1476..d1bd453 100644 >> --- a/policy/modules/system/userdomain.if >> +++ b/policy/modules/system/userdomain.if >> @@ -565,6 +565,8 @@ template(`userdom_common_user_template',` >> # to this one. >> seutil_dontaudit_signal_newrole($1_t) >> >> + vlock_run_vlock($1_t,$1_r) >> + >> tunable_policy(`user_direct_mouse',` >> dev_read_mouse($1_t) >> ') >> -- >> 1.7.0.4 >> > >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101027/407058cb/attachment.bin