2016-07-30 10:21:37

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] boinc - latest version and terminal checks

The following patch makes some changes for the latest versions of BOINC for
the pathnames of the executable and logs.

Makes global_prefs_override.xml writable by the daemon as it changes that
in response to commands from the boincmgr program.

Allows it to stat device nodes for terminals and mouse so it will know when
the system is idle.

Added term_getattr_generic_ptys interface for stating unused terminal devices.

diff -ru pol-git.orig/policy/modules/contrib/boinc.fc pol-git/policy/modules/contrib/boinc.fc
--- pol-git.orig/policy/modules/contrib/boinc.fc 2016-07-30 08:13:50.768320877 +1000
+++ pol-git/policy/modules/contrib/boinc.fc 2016-07-30 19:44:26.789849929 +1000
@@ -1,9 +1,13 @@
/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)

/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+/usr/bin/boinc -- gen_context(system_u:object_r:boinc_exec_t,s0)

/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc-client(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)

/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
+/var/log/boincerr\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
+/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0)
diff -ru pol-git.orig/policy/modules/contrib/boinc.te pol-git/policy/modules/contrib/boinc.te
--- pol-git.orig/policy/modules/contrib/boinc.te 2016-07-30 08:13:50.768320877 +1000
+++ pol-git/policy/modules/contrib/boinc.te 2016-07-30 19:44:26.789849929 +1000
@@ -47,6 +47,7 @@
# Local policy
#

+can_exec(boinc_t, boinc_exec_t)
allow boinc_t self:process { setsched setpgid signull sigkill };
allow boinc_t self:unix_stream_socket { accept listen };
allow boinc_t self:tcp_socket { accept listen };
@@ -71,12 +72,13 @@
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")

-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
logging_log_filetrans(boinc_t, boinc_log_t, file)

can_exec(boinc_t, boinc_var_lib_t)
+libs_exec_lib_files(boinc_t)

domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)

@@ -170,6 +172,11 @@

allow boinc_project_t boinc_project_var_lib_t:file execmod;
can_exec(boinc_project_t, boinc_project_var_lib_t)
+term_getattr_ptmx(boinc_t)
+dev_getattr_input_dev(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
+term_getattr_generic_ptys(boinc_t)
+userdom_getattr_user_ttys(boinc_t)

allow boinc_project_t boinc_t:shm rw_shm_perms;
allow boinc_project_t boinc_tmpfs_t:file { read write };
diff -ru pol-git.orig/policy/modules/kernel/terminal.if pol-git/policy/modules/kernel/terminal.if
--- pol-git.orig/policy/modules/kernel/terminal.if 2016-07-28 20:33:39.963961720 +1000
+++ pol-git/policy/modules/kernel/terminal.if 2016-07-30 19:44:26.793850037 +1000
@@ -538,6 +538,23 @@

########################################
## <summary>
+## Get the attributes of generic pty devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow
+## </summary>
+## </param>
+#
+interface(`term_getattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:chr_file getattr;
+')
+########################################
+## <summary>
## Do not audit attempts to get the attributes
## of generic pty devices.
## </summary>


2016-07-30 20:26:07

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] boinc - latest version and terminal checks

On 07/30/16 06:21, Russell Coker wrote:
> The following patch makes some changes for the latest versions of BOINC for
> the pathnames of the executable and logs.
>
> Makes global_prefs_override.xml writable by the daemon as it changes that
> in response to commands from the boincmgr program.
>
> Allows it to stat device nodes for terminals and mouse so it will know when
> the system is idle.
>
> Added term_getattr_generic_ptys interface for stating unused terminal devices.

Merged, though I moved some lines around.



> diff -ru pol-git.orig/policy/modules/contrib/boinc.fc pol-git/policy/modules/contrib/boinc.fc
> --- pol-git.orig/policy/modules/contrib/boinc.fc 2016-07-30 08:13:50.768320877 +1000
> +++ pol-git/policy/modules/contrib/boinc.fc 2016-07-30 19:44:26.789849929 +1000
> @@ -1,9 +1,13 @@
> /etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
>
> /usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
> +/usr/bin/boinc -- gen_context(system_u:object_r:boinc_exec_t,s0)
>
> /var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
> +/var/lib/boinc-client(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
> /var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
> /var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
>
> /var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
> +/var/log/boincerr\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
> +/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0)
> diff -ru pol-git.orig/policy/modules/contrib/boinc.te pol-git/policy/modules/contrib/boinc.te
> --- pol-git.orig/policy/modules/contrib/boinc.te 2016-07-30 08:13:50.768320877 +1000
> +++ pol-git/policy/modules/contrib/boinc.te 2016-07-30 19:44:26.789849929 +1000
> @@ -47,6 +47,7 @@
> # Local policy
> #
>
> +can_exec(boinc_t, boinc_exec_t)
> allow boinc_t self:process { setsched setpgid signull sigkill };
> allow boinc_t self:unix_stream_socket { accept listen };
> allow boinc_t self:tcp_socket { accept listen };
> @@ -71,12 +72,13 @@
> filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
> filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
>
> -append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
> +manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
> create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
> setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
> logging_log_filetrans(boinc_t, boinc_log_t, file)
>
> can_exec(boinc_t, boinc_var_lib_t)
> +libs_exec_lib_files(boinc_t)
>
> domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
>
> @@ -170,6 +172,11 @@
>
> allow boinc_project_t boinc_project_var_lib_t:file execmod;
> can_exec(boinc_project_t, boinc_project_var_lib_t)
> +term_getattr_ptmx(boinc_t)
> +dev_getattr_input_dev(boinc_t)
> +dev_getattr_mouse_dev(boinc_t)
> +term_getattr_generic_ptys(boinc_t)
> +userdom_getattr_user_ttys(boinc_t)
>
> allow boinc_project_t boinc_t:shm rw_shm_perms;
> allow boinc_project_t boinc_tmpfs_t:file { read write };
> diff -ru pol-git.orig/policy/modules/kernel/terminal.if pol-git/policy/modules/kernel/terminal.if
> --- pol-git.orig/policy/modules/kernel/terminal.if 2016-07-28 20:33:39.963961720 +1000
> +++ pol-git/policy/modules/kernel/terminal.if 2016-07-30 19:44:26.793850037 +1000
> @@ -538,6 +538,23 @@
>
> ########################################
> ## <summary>
> +## Get the attributes of generic pty devices.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to allow
> +## </summary>
> +## </param>
> +#
> +interface(`term_getattr_generic_ptys',`
> + gen_require(`
> + type devpts_t;
> + ')
> +
> + allow $1 devpts_t:chr_file getattr;
> +')
> +########################################
> +## <summary>
> ## Do not audit attempts to get the attributes
> ## of generic pty devices.
> ## </summary>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Chris PeBenito