From: russell@coker.com.au (Russell Coker)
Date: Sat, 30 Jul 2016 20:21:37 +1000
Subject: [refpolicy] [PATCH] boinc - latest version and terminal checks
Message-ID: <20160730102137.pg7k5czfnnp6sk7w@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
The following patch makes some changes for the latest versions of BOINC for
the pathnames of the executable and logs.
Makes global_prefs_override.xml writable by the daemon as it changes that
in response to commands from the boincmgr program.
Allows it to stat device nodes for terminals and mouse so it will know when
the system is idle.
Added term_getattr_generic_ptys interface for stating unused terminal devices.
diff -ru pol-git.orig/policy/modules/contrib/boinc.fc pol-git/policy/modules/contrib/boinc.fc
--- pol-git.orig/policy/modules/contrib/boinc.fc 2016-07-30 08:13:50.768320877 +1000
+++ pol-git/policy/modules/contrib/boinc.fc 2016-07-30 19:44:26.789849929 +1000
@@ -1,9 +1,13 @@
/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+/usr/bin/boinc -- gen_context(system_u:object_r:boinc_exec_t,s0)
/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc-client(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
+/var/log/boincerr\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
+/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0)
diff -ru pol-git.orig/policy/modules/contrib/boinc.te pol-git/policy/modules/contrib/boinc.te
--- pol-git.orig/policy/modules/contrib/boinc.te 2016-07-30 08:13:50.768320877 +1000
+++ pol-git/policy/modules/contrib/boinc.te 2016-07-30 19:44:26.789849929 +1000
@@ -47,6 +47,7 @@
# Local policy
#
+can_exec(boinc_t, boinc_exec_t)
allow boinc_t self:process { setsched setpgid signull sigkill };
allow boinc_t self:unix_stream_socket { accept listen };
allow boinc_t self:tcp_socket { accept listen };
@@ -71,12 +72,13 @@
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
logging_log_filetrans(boinc_t, boinc_log_t, file)
can_exec(boinc_t, boinc_var_lib_t)
+libs_exec_lib_files(boinc_t)
domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
@@ -170,6 +172,11 @@
allow boinc_project_t boinc_project_var_lib_t:file execmod;
can_exec(boinc_project_t, boinc_project_var_lib_t)
+term_getattr_ptmx(boinc_t)
+dev_getattr_input_dev(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
+term_getattr_generic_ptys(boinc_t)
+userdom_getattr_user_ttys(boinc_t)
allow boinc_project_t boinc_t:shm rw_shm_perms;
allow boinc_project_t boinc_tmpfs_t:file { read write };
diff -ru pol-git.orig/policy/modules/kernel/terminal.if pol-git/policy/modules/kernel/terminal.if
--- pol-git.orig/policy/modules/kernel/terminal.if 2016-07-28 20:33:39.963961720 +1000
+++ pol-git/policy/modules/kernel/terminal.if 2016-07-30 19:44:26.793850037 +1000
@@ -538,6 +538,23 @@
########################################
##
+## Get the attributes of generic pty devices.
+##
+##
+##
+## Domain to allow
+##
+##
+#
+interface(`term_getattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:chr_file getattr;
+')
+########################################
+##
## Do not audit attempts to get the attributes
## of generic pty devices.
##