From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 15 Feb 2011 10:37:27 -0500
Subject: [refpolicy] Fedora patch on tcsd.
In-Reply-To: <4D51BCFF.70204@redhat.com>
References: <4D51BCFF.70204@redhat.com>
Message-ID: <4D5A9DB7.2000502@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 2/8/2011 5:00 PM, Daniel J Walsh wrote:
> diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc
> index 8a473e7..7fdda14 100644
> --- a/policy/modules/services/tcsd.fc
> +++ b/policy/modules/services/tcsd.fc
> @@ -1,3 +1,6 @@
> +/etc/rc\.d/init\.d/tcsd	--	gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
> +
>  /usr/sbin/tcsd		--	gen_context(system_u:object_r:tcsd_exec_t,s0)
> +
>  /var/lib/tpm(/.*)?		gen_context(system_u:object_r:tcsd_var_lib_t,s0)
>
> diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if
> index e814f69..f7d6fa3 100644
> --- a/policy/modules/services/tcsd.if
> +++ b/policy/modules/services/tcsd.if
> @@ -1 +1,153 @@
>  ## <summary>TSS Core Services (TCS) daemon (tcsd) policy</summary>
> +
> +########################################
> +## <summary>
> +##	Execute a domain transition to run tcsd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##	Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`tcsd_domtrans',`
> +	gen_require(`
> +		type tcsd_t, tcsd_exec_t;
> +	')
> +
> +	domtrans_pattern($1, tcsd_exec_t, tcsd_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +##	Execute tcsd server in the tcsd domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_initrc_domtrans',`
> +	gen_require(`
> +		type tcsd_initrc_exec_t;
> +	')
> +
> +	init_labeled_script_domtrans($1, tcsd_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Search tcsd lib directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_search_lib',`
> +	gen_require(`
> +		type tcsd_var_lib_t;
> +	')
> +
> +	allow $1 tcsd_var_lib_t:dir search_dir_perms;
> +	files_search_var_lib($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Read tcsd lib files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_read_lib_files',`
> +	gen_require(`
> +		type tcsd_var_lib_t;
> +	')
> +
> +	files_search_var_lib($1)
> +        read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Create, read, write, and delete
> +##	tcsd lib files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_manage_lib_files',`
> +	gen_require(`
> +		type tcsd_var_lib_t;
> +	')
> +
> +	files_search_var_lib($1)
> +        manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage tcsd lib dirs files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_manage_lib_dirs',`
> +	gen_require(`
> +		type tcsd_var_lib_t;
> +	')
> +
> +	files_search_var_lib($1)
> +        manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +##	All of the rules required to administrate
> +##	an tcsd environment
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`tcsd_admin',`
> +	gen_require(`
> +		type tcsd_t;
> +		type tcsd_initrc_exec_t;
> +                type tcsd_var_lib_t;
> +	')
> +
> +	allow $1 tcsd_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, tcsd_t)
> +
> +	tcsd_initrc_domtrans($1)
> +	domain_system_change_exemption($1)
> +	role_transition $2 tcsd_initrc_exec_t system_r;
> +	allow $2 system_r;
> +
> +	files_search_var_lib($1)
> +	admin_pattern($1, tcsd_var_lib_t)
> +
> +')
> diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te
> index f17dafd..30d2c75 100644
> --- a/policy/modules/services/tcsd.te
> +++ b/policy/modules/services/tcsd.te
> @@ -10,7 +10,9 @@ type tcsd_exec_t;
>  domain_type(tcsd_t)
>  init_daemon_domain(tcsd_t, tcsd_exec_t)
>
> -# /var/lib/tpm
> +type tcsd_initrc_exec_t;
> +init_script_file(tcsd_initrc_exec_t)
> +
>  type tcsd_var_lib_t;
>  files_type(tcsd_var_lib_t)
>
> @@ -23,26 +25,24 @@ allow tcsd_t self:capability { dac_override setuid };
>  allow tcsd_t self:process { signal sigkill };
>  allow tcsd_t self:tcp_socket create_stream_socket_perms;
>
> -# var/lib files for tcsd
>  manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
>  manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
>  files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir })
>
> -# Accept connections on the TCS port over loopback.
>  corenet_all_recvfrom_unlabeled(tcsd_t)
>  corenet_tcp_bind_generic_node(tcsd_t)
>  corenet_tcp_bind_tcs_port(tcsd_t)
>
>  dev_read_urand(tcsd_t)
> -# Access /dev/tpm0.
>  dev_rw_tpm(tcsd_t)
>
>  files_read_etc_files(tcsd_t)
>  files_read_usr_files(tcsd_t)
>
> -# Log messages via syslog.
> +auth_use_nsswitch(tcsd_t)
> +
>  logging_send_syslog_msg(tcsd_t)
>
>  miscfiles_read_localization(tcsd_t)
>
> -sysnet_read_config(tcsd_t)
> +sysnet_dns_name_resolve(tcsd_t)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com