[refpolicy] Adding support for the vlock program

[domg472@gmail.com (Dominick Grift)]

On Tue, Oct 26, 2010 at 09:40:52AM +0000, TaurusHarry wrote:
> 
> Hi refpolicy experts,
> 
> I have tried to developed a vlock.pp in order to run the vlock program(2.2.2 version) on top of the latest refpolicy git tree, please see the attachment.
> 
> I am testing on a qemu environment, the system administrator and unprivileged user could login from serial console or by ssh, both could use the vlock command to lock his current console successfully.
> 
> How could I contribute it back to the refpolicy git tree?
> 
> Any comment is greatly appreciated!

Some more pretty insignificant cosmetic suggestions inline.
> 
> Best regards,
> Harry
>  		 	   		  

> From ad4692423bcb1e10d5b9f146eab86de09b37dbb3 Mon Sep 17 00:00:00 2001
> From: Harry Ciao <qingtao.cao@windriver.com>
> Date: Tue, 26 Oct 2010 14:34:11 +0800
> Subject: [PATCH] Adding support for the vlock program
> 
> Adding support for the vlock program.
> 
> Tested on vlock-2.2.2, both system administrator and unprivileged user
> could make use of vlock to lock his console successfully.
> 
> Signed-off-by: Harry Ciao <harrytaurus2002@hotmail.com>
> ---
>  policy/modules/apps/vlock.fc        |    1 +
>  policy/modules/apps/vlock.if        |   48 ++++++++++++++++++++++++++
>  policy/modules/apps/vlock.te        |   63 +++++++++++++++++++++++++++++++++++
>  policy/modules/system/userdomain.if |    2 +
>  4 files changed, 114 insertions(+), 0 deletions(-)
>  create mode 100644 policy/modules/apps/vlock.fc
>  create mode 100644 policy/modules/apps/vlock.if
>  create mode 100644 policy/modules/apps/vlock.te
> 
> diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc
> new file mode 100644
> index 0000000..621d5fd
> --- /dev/null
> +++ b/policy/modules/apps/vlock.fc
> @@ -0,0 +1 @@
> +/usr/sbin/vlock-main	--	gen_context(system_u:object_r:vlock_exec_t,s0)
> diff --git a/policy/modules/apps/vlock.if b/policy/modules/apps/vlock.if
> new file mode 100644
> index 0000000..259575e
> --- /dev/null
> +++ b/policy/modules/apps/vlock.if
> @@ -0,0 +1,48 @@
> +## <summary>Policy for the vlock program.</summary>

Try to put something meaningful in the summary we already know its policy so thats redundant. try something like:

"Lock one or more sessions on the Linux console."

> +
> +#######################################
> +## <summary>
> +## 	Execute vlock in the vlock domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.

Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`vlock_domtrans_vlock',`
> +	gen_require(`
> +		type vlock_t, vlock_exec_t;
> +	')
> +
> +	files_search_usr($1)
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, vlock_exec_t, vlock_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute vlock in the vlock domain, and
> +##	allow the specified role the vlock domain,
> +##	and use the caller's terminal.

That use the callers terminal is not applicable here.

> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.

Again: Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	The role to be allowed the vlock domain.

We currently use just: Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`vlock_run_vlock',`
> +	gen_require(`
> +		type vlock_t;
> +	')
> +
> +	vlock_domtrans_vlock($1)
> +	role $2 types vlock_t;
> +')
> diff --git a/policy/modules/apps/vlock.te b/policy/modules/apps/vlock.te
> new file mode 100644
> index 0000000..f0fa315
> --- /dev/null
> +++ b/policy/modules/apps/vlock.te
> @@ -0,0 +1,63 @@
> +policy_module(vlock, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type vlock_t;
> +type vlock_exec_t;
> +application_domain(vlock_t,vlock_exec_t)
> +
> +
> +########################################
> +#
> +# Vlock local policy
> +#
> +
> +allow vlock_t self:fd use;
> +allow vlock_t self:fifo_file rw_fifo_file_perms;
> +allow vlock_t self:unix_dgram_socket { create connect };
> +allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
> +
> +# dont audit the failed attempt of vlock_t to setuid/setgid, because
> +# 1. we used --enable_pam for vlock to use PAM to authenticate passwd
> +# 2. no guarantee that to make vlock setuid is safe
> +dontaudit vlock_t self:capability { setuid setgid };
> +
> +kernel_read_system_state(vlock_t)
> +
> +corecmd_list_bin(vlock_t)
> +corecmd_read_bin_symlinks(vlock_t)
> +
> +files_read_etc_files(vlock_t)
> +files_read_var_files(vlock_t)
> +files_read_var_symlinks(vlock_t)
> +
> +init_rw_utmp(vlock_t)
> +
> +term_use_all_user_ttys(vlock_t)
> +term_use_all_user_ptys(vlock_t)
> +userdom_use_user_terminals(vlock_t)
> +
> +# Must call this interface otherwise PAM session will fail
> +# with message of "terminal=? res=failed"
> +domain_use_interactive_fds(vlock_t)
> +
> +auth_domtrans_chk_passwd(vlock_t)
> +
> +miscfiles_read_localization(vlock_t)
> +
> +logging_send_syslog_msg(vlock_t)
> +
> +selinux_getattr_fs(vlock_t)
> +
> +# When MLS enabled and vlock PAM config file using pam_tally2 module,
> +# if the caller's security level is > s0, the vlock domain should be able
> +# to write into /var/log/tallylog file which is s0.
> +mls_file_write_all_levels(vlock_t)
> +
> +# vlock could be used successfully without the search permissions on
> +# home_root_t or user_home_dir_t, suppress the related error messages.
> +files_dontaudit_search_home(vlock_t)
> +userdom_dontaudit_search_user_home_dirs(vlock_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 35f1476..d1bd453 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -565,6 +565,8 @@ template(`userdom_common_user_template',`
>  	# to this one.
>  	seutil_dontaudit_signal_newrole($1_t)
>  
> +	vlock_run_vlock($1_t,$1_r)
> +
>  	tunable_policy(`user_direct_mouse',`
>  		dev_read_mouse($1_t)
>  	')
> -- 
> 1.7.0.4
> 

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/8e0bd33e/attachment.bin