From: domg472@gmail.com (Dominick Grift)
Date: Mon, 24 Jan 2011 15:18:50 +0100
Subject: [refpolicy] [PATCH/RFC 5/19]: patch set to update the git
 reference policy
In-Reply-To: <1295829842.3862.64.camel@tesla.lan>
References: <1295829842.3862.64.camel@tesla.lan>
Message-ID: <4D3D8A4A.5090901@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/corecommands.if refpolicy-git-18012011-new/policy/modules/kernel/corecommands.if
> --- refpolicy-git-18012011/policy/modules/kernel/corecommands.if	2011-01-08 19:07:21.197734248 +0100
> +++ refpolicy-git-18012011-new/policy/modules/kernel/corecommands.if	2011-01-18 23:13:49.755846822 +0100
> @@ -808,6 +808,27 @@ interface(`corecmd_check_exec_shell',`
>  
>  ########################################
>  ## <summary>
> +##      Allow mmap_file_perms on a shell
> +##      executable.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`corecmd_mmap_file_exec_shell',`
> +        gen_require(`
> +                type bin_t, shell_exec_t;
> +        ')
> +
> +        list_dirs_pattern($1, bin_t, bin_t)
> +        read_lnk_files_pattern($1, bin_t, bin_t)
> +        allow $1 shell_exec_t:file mmap_file_perms;
> +')

listing bin_t directories is not strictly required to mmap shell_exec_t
files.

> +
> +########################################
> +## <summary>
>  ##	Execute shells in the caller domain.
>  ## </summary>
>  ## <desc>
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/mount.if refpolicy-git-18012011-new/policy/modules/system/mount.if
> --- refpolicy-git-18012011/policy/modules/system/mount.if	2011-01-08 19:07:21.358759676 +0100
> +++ refpolicy-git-18012011-new/policy/modules/system/mount.if	2011-01-18 23:13:49.814855139 +0100
> @@ -51,6 +51,25 @@ interface(`mount_run',`
>  
>  ########################################
>  ## <summary>
> +##      Get the attributes of mount
> +##      executable files.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`mount_exec_getattr',`
> +	gen_require(`
> +		type mount_exec_t;
> +	')
> +
> +	allow $1 mount_exec_t:file getattr;
> +')

mount_getattr_executable_file() or something. use permission sets
(getattr_file_perms) and provide access to the location of the mount
executable file (corecmd_search_bin($1)

> +
> +########################################
> +## <summary>
>  ##	Execute mount in the caller domain.
>  ## </summary>
>  ## <param name="domain">
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/mount.te refpolicy-git-18012011-new/policy/modules/system/mount.te
> --- refpolicy-git-18012011/policy/modules/system/mount.te	2011-01-17 19:36:10.814131755 +0100
> +++ refpolicy-git-18012011-new/policy/modules/system/mount.te	2011-01-23 20:46:59.057098397 +0100
> @@ -37,6 +37,11 @@ application_domain(unconfined_mount_t, m
>  # setuid/setgid needed to mount cifs 
>  allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
>  
> +ifdef(`distro_redhat',`
> +	# needed by /sbin/mount.tmpfs bash script
> +	allow mount_t self:fifo_file rw_fifo_file_perms;
> +')
> +
>  allow mount_t mount_loopback_t:file read_file_perms;
>  
>  allow mount_t mount_tmp_t:file manage_file_perms;
> @@ -51,12 +56,17 @@ kernel_read_kernel_sysctls(mount_t)
>  kernel_dontaudit_getattr_core_if(mount_t)
>  kernel_dontaudit_write_debugfs_dirs(mount_t)
>  kernel_dontaudit_write_proc_dirs(mount_t)
> +kernel_setsched(mount_t)
>  # To load binfmt_misc kernel module
>  kernel_request_load_module(mount_t)
>  
>  # required for mount.smbfs
>  corecmd_exec_bin(mount_t)
>  
> +# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
> +# from initscripts 
> +corecmd_mmap_file_exec_shell(mount_t)
> +
>  dev_getattr_all_blk_files(mount_t)
>  dev_list_all_dev_nodes(mount_t)
>  dev_read_sysfs(mount_t)
> @@ -65,6 +75,7 @@ dev_rw_lvm_control(mount_t)
>  dev_dontaudit_getattr_all_chr_files(mount_t)
>  dev_dontaudit_getattr_memory_dev(mount_t)
>  dev_getattr_sound_dev(mount_t)
> +dev_read_usbfs(mount_t)
>  # Early devtmpfs, before udev relabel
>  dev_dontaudit_rw_generic_chr_files(mount_t)
>  
> @@ -108,6 +119,8 @@ storage_raw_read_fixed_disk(mount_t)
>  storage_raw_write_fixed_disk(mount_t)
>  storage_raw_read_removable_device(mount_t)
>  storage_raw_write_removable_device(mount_t)
> +# needed for example by ntfs-3g
> +storage_rw_fuse(mount_t)
>  
>  term_use_all_terms(mount_t)
>  
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk09ikoACgkQMlxVo39jgT9k6QCeKUwULKR8M+BlnwazqYkgohev
X74AoI/BP3BQ+MENrYIO472Xq8NCyt2Y
=Tr48
-----END PGP SIGNATURE-----