From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 31 Dec 2016 11:09:41 -0500
Subject: [refpolicy] boinc patch for inclusion
In-Reply-To: <20161231101647.hqiobvyph4rh7ckv@athena.coker.com.au>
References: <20161231101647.hqiobvyph4rh7ckv@athena.coker.com.au>
Message-ID: <1e767c1e-91a8-0fd2-667b-d7dbb3eeeb4b@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/31/16 05:16, Russell Coker via refpolicy wrote:
> Below is my final boinc patch.  It runs well on several systems.
>
> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/boinc.te ./policy/modules/contrib/boinc.te
> --- /home/rjc/src/pol-git/policy/modules/contrib/boinc.te	2016-11-02 14:53:37.763215655 +1100
> +++ ./policy/modules/contrib/boinc.te	2016-12-31 21:14:18.482560122 +1100
> @@ -85,6 +85,7 @@
>
>  kernel_read_system_state(boinc_t)
>  kernel_search_vm_sysctl(boinc_t)
> +kernel_read_crypto_sysctls(boinc_t)
>
>  corenet_all_recvfrom_unlabeled(boinc_t)
>  corenet_all_recvfrom_netlabel(boinc_t)
> @@ -143,6 +144,10 @@
>  miscfiles_read_fonts(boinc_t)
>  miscfiles_read_localization(boinc_t)
>
> +xserver_list_xdm_tmp(boinc_t)
> +corenet_tcp_connect_xserver_port(boinc_t)
> +xserver_non_drawing_client(boinc_t)

It's been a long time since I used boinc.  IIRC it can be headless?  If 
so then these should be optional.


>  tunable_policy(`boinc_execmem',`
>  	allow boinc_t self:process { execstack execmem };
>  ')
> diff -ru /home/rjc/src/pol-git/policy/modules/services/xserver.if ./policy/modules/services/xserver.if
> --- /home/rjc/src/pol-git/policy/modules/services/xserver.if	2016-12-31 21:09:24.677504879 +1100
> +++ ./policy/modules/services/xserver.if	2016-12-31 21:14:18.486560245 +1100
> @@ -1236,6 +1236,24 @@
>
>  ########################################
>  ## <summary>
> +##	list xdm_tmp_t directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to allow
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_list_xdm_tmp',`
> +	gen_require(`
> +		type xdm_tmp_t;
> +	')
> +
> +	allow $1 xdm_tmp_t:dir list_dir_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute the X server in the X server domain.
>  ## </summary>
>  ## <param name="domain">



-- 
Chris PeBenito