From: Thomas Bleher <bleher@informatik.uni-muenchen.de>
To: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
Cc: SELinux ML <selinux@tycho.nsa.gov>
Subject: cdrecord patch [was: Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)]
Date: Mon, 18 Oct 2004 23:58:02 +0200 [thread overview]
Message-ID: <20041018215802.GD2536@jmh.mhn.de> (raw)
In-Reply-To: <20041018143842.GP19398@lkcl.net>
[-- Attachment #1.1: Type: text/plain, Size: 941 bytes --]
* Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-10-18 17:47]:
> ah ha! thomas, thank you v. much: i [badly] hacked up something
> for k3b to use some time ago.
>
> On Mon, Oct 18, 2004 at 02:43:32PM +0200, Thomas Bleher wrote:
>
> > I have just written selinux policy for cdrecord. While writing this
> > policy cdrecord constantly locked up the computer (even in permissive
> > mode). When booting with selinux=0 the problem went away.
Attached is an updated policy for inclusion into CVS. The previous
version missed some permissions. With the current version I have
successfully burnt a CD in enforcing mode.
Thomas
PS: This patch uses the can_resmgrd_connect() macro which was posted a
while but is not yet in CVS. It can be removed if the other patch is not
merged.
--
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
[-- Attachment #1.2: cdrecord.patch --]
[-- Type: text/plain, Size: 3412 bytes --]
diff -urN orig/domains/program/unused/cdrecord.te mod/domains/program/unused/cdrecord.te
--- orig/domains/program/unused/cdrecord.te 1970-01-01 01:00:00.000000000 +0100
+++ mod/domains/program/unused/cdrecord.te 2004-10-18 23:51:18.000000000 +0200
@@ -0,0 +1,10 @@
+# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+
+# Type for the cdrecord excutable.
+type cdrecord_exec_t, file_type, sysadmfile, exec_type;
+
+# everything else is in the cdrecord_domain macros in
+# macros/program/cdrecord_macros.te.
+
diff -urN orig/file_contexts/program/cdrecord.fc mod/file_contexts/program/cdrecord.fc
--- orig/file_contexts/program/cdrecord.fc 1970-01-01 01:00:00.000000000 +0100
+++ mod/file_contexts/program/cdrecord.fc 2004-10-18 23:51:44.000000000 +0200
@@ -0,0 +1,3 @@
+# cdrecord
+/usr/bin/cdrecord -- system_u:object_r:cdrecord_exec_t
+
diff -urN orig/macros/base_user_macros.te mod/macros/base_user_macros.te
--- orig/macros/base_user_macros.te 2004-10-18 23:50:53.000000000 +0200
+++ mod/macros/base_user_macros.te 2004-10-18 23:37:59.000000000 +0200
@@ -167,6 +167,7 @@
ifdef(`irc.te', `irc_domain($1)')
ifdef(`using_spamassassin', `spamassassin_domain($1)')
ifdef(`uml.te', `uml_domain($1)')
+ifdef(`cdrecord.te', `cdrecord_domain($1)')
# Instantiate a derived domain for user cron jobs.
ifdef(`crond.te', `crond_domain($1)')
diff -urN orig/macros/program/cdrecord_macros.te mod/macros/program/cdrecord_macros.te
--- orig/macros/program/cdrecord_macros.te 1970-01-01 01:00:00.000000000 +0100
+++ mod/macros/program/cdrecord_macros.te 2004-10-18 23:51:36.000000000 +0200
@@ -0,0 +1,51 @@
+# macros for the cdrecord domain
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+
+define(`cdrecord_domain', `
+type $1_cdrecord_t, domain, privlog;
+
+domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_cdrecord_t;
+
+uses_shlib($1_cdrecord_t)
+read_locale($1_cdrecord_t)
+
+# allow ps to show cdrecord and allow the user to kill it
+can_ps($1_t, $1_cdrecord_t)
+allow $1_t $1_cdrecord_t:process signal;
+
+# write to the user domain tty.
+allow $1_cdrecord_t $1_tty_device_t:chr_file rw_file_perms;
+allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
+allow $1_cdrecord_t privfd:fd use;
+
+allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write };
+
+allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
+allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+
+can_resmgrd_connect($1_cdrecord_t)
+
+allow $1_cdrecord_t home_root_t:dir { search };
+
+# allow cdrecord to read user files
+r_dir_file($1_cdrecord_t, { $1_home_t $1_tmp_t })
+ifdef(`nfs_home_dirs', `
+r_dir_file($1_cdrecord_t, nfs_t)
+')dnl end if nfs_home_dirs
+
+# allow searching for cdrom-drive
+allow $1_cdrecord_t device_t:dir { getattr search };
+allow $1_cdrecord_t device_t:lnk_file { getattr read };
+
+# allow cdrecord to write the CD
+allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
+allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
+
+allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid };
+allow $1_cdrecord_t self:process { getsched setsched fork };
+
+')
+
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2004-10-18 21:57 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-18 12:43 cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler) Thomas Bleher
2004-10-18 13:49 ` Stephen Smalley
2004-10-18 15:03 ` James Morris
2004-10-18 19:11 ` Chris Wright
[not found] ` <4173F737.1070204@immunix.com>
2004-10-18 19:07 ` Stephen Smalley
2004-10-18 19:14 ` Chris Wright
[not found] ` <20041018214052.GB4336@immunix.com>
2004-10-19 12:14 ` Stephen Smalley
2004-10-19 16:21 ` Chris Wright
2004-10-19 18:17 ` Stephen Smalley
2004-10-19 18:27 ` Chris Wright
2004-10-19 18:36 ` James Morris
2004-10-19 18:39 ` Chris Wright
2004-10-19 18:52 ` Stephen Smalley
2004-10-19 19:02 ` Chris Wright
2004-10-19 19:14 ` Stephen Smalley
2004-10-19 19:20 ` Chris Wright
2004-10-19 20:09 ` Stephen Smalley
2004-10-19 20:17 ` Stephen Smalley
2004-10-19 20:42 ` James Morris
2004-10-19 21:09 ` Chris Wright
2004-10-20 12:23 ` Stephen Smalley
2004-10-20 12:44 ` Stephen Smalley
[not found] ` <20041020154909.GA1917@immunix.com>
2004-10-20 16:01 ` Stephen Smalley
2004-10-20 16:07 ` Chris Wright
2004-10-20 17:41 ` Chris Wright
2004-10-20 20:05 ` Stephen Smalley
2004-10-21 0:28 ` Chris Wright
2004-10-18 14:38 ` Luke Kenneth Casson Leighton
2004-10-18 21:58 ` Thomas Bleher [this message]
2004-10-29 19:31 ` cdrecord patch [was: Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)] James Carter
2004-11-01 16:18 ` Patch to make can_network stronger and remove nscd tunable Daniel J Walsh
2004-11-02 13:27 ` Russell Coker
2004-11-02 14:30 ` Daniel J Walsh
2004-11-02 14:39 ` Stephen Smalley
2004-11-02 14:44 ` Daniel J Walsh
2004-11-02 14:50 ` Daniel J Walsh
2004-11-02 15:38 ` Russell Coker
2004-11-02 15:48 ` Russell Coker
2004-11-02 15:55 ` Daniel J Walsh
2004-11-03 5:23 ` Russell Coker
2004-11-02 15:56 ` Daniel J Walsh
2004-11-03 0:07 ` Thomas Bleher
2004-11-03 6:16 ` Russell Coker
2004-11-03 16:17 ` Daniel J Walsh
2004-11-03 5:41 ` Russell Coker
2004-11-03 16:23 ` Daniel J Walsh
2004-11-03 18:45 ` Colin Walters
2004-11-03 22:13 ` Colin Walters
2004-11-03 22:49 ` Daniel J Walsh
2004-11-05 13:10 ` Thomas Bleher
2004-11-05 13:38 ` Stephen Smalley
2004-11-05 21:24 ` James Carter
2004-11-06 10:46 ` Thomas Bleher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041018215802.GD2536@jmh.mhn.de \
--to=bleher@informatik.uni-muenchen.de \
--cc=lkcl@lkcl.net \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.