From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 30 Jul 2016 16:26:07 -0400 Subject: [refpolicy] [PATCH] boinc - latest version and terminal checks In-Reply-To: <20160730102137.pg7k5czfnnp6sk7w@athena.coker.com.au> References: <20160730102137.pg7k5czfnnp6sk7w@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/30/16 06:21, Russell Coker wrote: > The following patch makes some changes for the latest versions of BOINC for > the pathnames of the executable and logs. > > Makes global_prefs_override.xml writable by the daemon as it changes that > in response to commands from the boincmgr program. > > Allows it to stat device nodes for terminals and mouse so it will know when > the system is idle. > > Added term_getattr_generic_ptys interface for stating unused terminal devices. Merged, though I moved some lines around. > diff -ru pol-git.orig/policy/modules/contrib/boinc.fc pol-git/policy/modules/contrib/boinc.fc > --- pol-git.orig/policy/modules/contrib/boinc.fc 2016-07-30 08:13:50.768320877 +1000 > +++ pol-git/policy/modules/contrib/boinc.fc 2016-07-30 19:44:26.789849929 +1000 > @@ -1,9 +1,13 @@ > /etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) > > /usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) > +/usr/bin/boinc -- gen_context(system_u:object_r:boinc_exec_t,s0) > > /var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) > +/var/lib/boinc-client(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) > /var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) > /var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) > > /var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) > +/var/log/boincerr\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) > +/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0) > diff -ru pol-git.orig/policy/modules/contrib/boinc.te pol-git/policy/modules/contrib/boinc.te > --- pol-git.orig/policy/modules/contrib/boinc.te 2016-07-30 08:13:50.768320877 +1000 > +++ pol-git/policy/modules/contrib/boinc.te 2016-07-30 19:44:26.789849929 +1000 > @@ -47,6 +47,7 @@ > # Local policy > # > > +can_exec(boinc_t, boinc_exec_t) > allow boinc_t self:process { setsched setpgid signull sigkill }; > allow boinc_t self:unix_stream_socket { accept listen }; > allow boinc_t self:tcp_socket { accept listen }; > @@ -71,12 +72,13 @@ > filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots") > filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects") > > -append_files_pattern(boinc_t, boinc_log_t, boinc_log_t) > +manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t) > create_files_pattern(boinc_t, boinc_log_t, boinc_log_t) > setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t) > logging_log_filetrans(boinc_t, boinc_log_t, file) > > can_exec(boinc_t, boinc_var_lib_t) > +libs_exec_lib_files(boinc_t) > > domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) > > @@ -170,6 +172,11 @@ > > allow boinc_project_t boinc_project_var_lib_t:file execmod; > can_exec(boinc_project_t, boinc_project_var_lib_t) > +term_getattr_ptmx(boinc_t) > +dev_getattr_input_dev(boinc_t) > +dev_getattr_mouse_dev(boinc_t) > +term_getattr_generic_ptys(boinc_t) > +userdom_getattr_user_ttys(boinc_t) > > allow boinc_project_t boinc_t:shm rw_shm_perms; > allow boinc_project_t boinc_tmpfs_t:file { read write }; > diff -ru pol-git.orig/policy/modules/kernel/terminal.if pol-git/policy/modules/kernel/terminal.if > --- pol-git.orig/policy/modules/kernel/terminal.if 2016-07-28 20:33:39.963961720 +1000 > +++ pol-git/policy/modules/kernel/terminal.if 2016-07-30 19:44:26.793850037 +1000 > @@ -538,6 +538,23 @@ > > ######################################## > ## > +## Get the attributes of generic pty devices. > +## > +## > +## > +## Domain to allow > +## > +## > +# > +interface(`term_getattr_generic_ptys',` > + gen_require(` > + type devpts_t; > + ') > + > + allow $1 devpts_t:chr_file getattr; > +') > +######################################## > +## > ## Do not audit attempts to get the attributes > ## of generic pty devices. > ## > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito