-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tcsd.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110208/fa261422/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcsd.patch.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110208/fa261422/attachment.bin
On 2/8/2011 5:00 PM, Daniel J Walsh wrote:
> diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc
> index 8a473e7..7fdda14 100644
> --- a/policy/modules/services/tcsd.fc
> +++ b/policy/modules/services/tcsd.fc
> @@ -1,3 +1,6 @@
> +/etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
> +
> /usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
> +
> /var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0)
>
> diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if
> index e814f69..f7d6fa3 100644
> --- a/policy/modules/services/tcsd.if
> +++ b/policy/modules/services/tcsd.if
> @@ -1 +1,153 @@
> ## <summary>TSS Core Services (TCS) daemon (tcsd) policy</summary>
> +
> +########################################
> +## <summary>
> +## Execute a domain transition to run tcsd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`tcsd_domtrans',`
> + gen_require(`
> + type tcsd_t, tcsd_exec_t;
> + ')
> +
> + domtrans_pattern($1, tcsd_exec_t, tcsd_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +## Execute tcsd server in the tcsd domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process performing this action.
> +## </summary>
> +## </param>
> +#
> +interface(`tcsd_initrc_domtrans',`
> + gen_require(`
> + type tcsd_initrc_exec_t;
> + ')
> +
> + init_labeled_script_domtrans($1, tcsd_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +## Search tcsd lib directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`tcsd_search_lib',`
> + gen_require(`
> + type tcsd_var_lib_t;
> + ')
> +
> + allow $1 tcsd_var_lib_t:dir search_dir_perms;
> + files_search_var_lib($1)
> +')
> +
> +########################################
> +## <summary>
> +## Read tcsd lib files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`tcsd_read_lib_files',`
> + gen_require(`
> + type tcsd_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +## Create, read, write, and delete
> +## tcsd lib files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`tcsd_manage_lib_files',`
> + gen_require(`
> + type tcsd_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage tcsd lib dirs files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`tcsd_manage_lib_dirs',`
> + gen_require(`
> + type tcsd_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +## All of the rules required to administrate
> +## an tcsd environment
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`tcsd_admin',`
> + gen_require(`
> + type tcsd_t;
> + type tcsd_initrc_exec_t;
> + type tcsd_var_lib_t;
> + ')
> +
> + allow $1 tcsd_t:process { ptrace signal_perms };
> + ps_process_pattern($1, tcsd_t)
> +
> + tcsd_initrc_domtrans($1)
> + domain_system_change_exemption($1)
> + role_transition $2 tcsd_initrc_exec_t system_r;
> + allow $2 system_r;
> +
> + files_search_var_lib($1)
> + admin_pattern($1, tcsd_var_lib_t)
> +
> +')
> diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te
> index f17dafd..30d2c75 100644
> --- a/policy/modules/services/tcsd.te
> +++ b/policy/modules/services/tcsd.te
> @@ -10,7 +10,9 @@ type tcsd_exec_t;
> domain_type(tcsd_t)
> init_daemon_domain(tcsd_t, tcsd_exec_t)
>
> -# /var/lib/tpm
> +type tcsd_initrc_exec_t;
> +init_script_file(tcsd_initrc_exec_t)
> +
> type tcsd_var_lib_t;
> files_type(tcsd_var_lib_t)
>
> @@ -23,26 +25,24 @@ allow tcsd_t self:capability { dac_override setuid };
> allow tcsd_t self:process { signal sigkill };
> allow tcsd_t self:tcp_socket create_stream_socket_perms;
>
> -# var/lib files for tcsd
> manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
> manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
> files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir })
>
> -# Accept connections on the TCS port over loopback.
> corenet_all_recvfrom_unlabeled(tcsd_t)
> corenet_tcp_bind_generic_node(tcsd_t)
> corenet_tcp_bind_tcs_port(tcsd_t)
>
> dev_read_urand(tcsd_t)
> -# Access /dev/tpm0.
> dev_rw_tpm(tcsd_t)
>
> files_read_etc_files(tcsd_t)
> files_read_usr_files(tcsd_t)
>
> -# Log messages via syslog.
> +auth_use_nsswitch(tcsd_t)
> +
> logging_send_syslog_msg(tcsd_t)
>
> miscfiles_read_localization(tcsd_t)
>
> -sysnet_read_config(tcsd_t)
> +sysnet_dns_name_resolve(tcsd_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com