[ RESEND ] Fedora Rawhide mplayer policy

[ RESEND ] Fedora Rawhide mplayer policy

[Ivan Gyurdiev]

[-- Attachment #1: Type: text/plain, Size: 535 bytes --]

So, how about this policy again?
I didn't get too many comments last time.
Do you find it useful, or have you decided to go with 
a tunable for reading /dev/rtc.

There's more things involved that reading /dev/rtc, for example, 
mplayer required execute permissions on /usr/lib/win32,
which is of type { lib_t } by default. I relabeled it to win32_lib_t.
The win32 loader needs { execmem }.

Any more comments? 
Latest version attached.
It's for selinux-policy-strict-1.21.4-2.

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University

[-- Attachment #2: base_user_macros.patch --]
[-- Type: text/x-patch, Size: 439 bytes --]

--- base_user_macros.te	2005-01-27 15:02:48.000000000 -0700
+++ base_user_macros.new	2005-01-27 15:02:20.000000000 -0700
@@ -188,6 +188,10 @@
 ifdef(`using_spamassassin', `spamassassin_domain($1)')
 ifdef(`uml.te', `uml_domain($1)')
 ifdef(`cdrecord.te', `cdrecord_domain($1)')
+ifdef(`mplayer.te', `
+mplayer_domain($1)
+mencoder_domain($1)
+')
 
 # Instantiate a derived domain for user cron jobs.
 ifdef(`crond.te', `crond_domain($1)')

[-- Attachment #3: mplayer.fc --]
[-- Type: text/plain, Size: 247 bytes --]

# mplayer
/usr/bin/mplayer	--	   	system_u:object_r:mplayer_exec_t
/usr/bin/mencoder	--	   	system_u:object_r:mencoder_exec_t

/etc/mplayer(/.*)?		system_u:object_r:mplayer_etc_t
HOME_DIR/\.mplayer(/.*)?        system_u:object_r:ROLE_mplayer_rw_t

[-- Attachment #4: mplayer_macros.te --]
[-- Type: text/plain, Size: 2896 bytes --]

#
# Macros for mplayer
#
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
#
#
# mplayer_domain(domain_prefix)
# mencoder_domain(domain_prefix)

################################################
#    mplayer_common(prefix, mplayer domain)    #
################################################

define(`mplayer_common',`

# Home directory stuff
if (use_nfs_home_dirs) {
create_dir_file($1_$2_t, nfs_t)
}
if (use_samba_home_dirs) {
create_dir_file($1_$2_t, cifs_t)
}
allow $1_$2_t autofs_t:dir { search getattr };

# Read local config
r_dir_file($1_$2_t, $1_mplayer_rw_t)

# Read global config
r_dir_file($1_$2_t, mplayer_etc_t)

# Read data in /usr/share (fonts, icons..)
r_dir_file($1_$2_t, usr_t)

# Read /proc files and directories
# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
allow $1_$2_t proc_t:dir search;
allow $1_$2_t proc_t:file { getattr read };

# Sysctl on kernel version 
allow $1_$2_t sysctl_kernel_t:dir search;
allow $1_$2_t sysctl_kernel_t:file { getattr read };

# allow ps
can_ps($1_t, $1_$2_t)

# uses shared libraries
uses_shlib($1_$2_t)

# localization
read_locale($1_$2_t)

# Access the terminal.
allow $1_$2_t devpts_t:dir { search };
allow $1_$2_t $1_tty_device_t:chr_file rw_file_perms;
allow $1_$2_t $1_devpts_t:chr_file rw_file_perms;

# Required for win32 binary loader 
allow $1_$2_t zero_device_t:chr_file { read write execute };
allow $1_$2_t self:process { execmem };
allow $1_$2_t win32_lib_t:file rx_file_perms;
allow $1_$2_t win32_lib_t:dir r_dir_perms;

# Access to DVD/CD/V4L
allow $1_$2_t device_t:dir r_dir_perms;
allow $1_$2_t device_t:lnk_file { getattr read };
allow $1_$2_t removable_device_t:blk_file { getattr read };
allow $1_$2_t v4l_device_t:chr_file { getattr read };
')

##############################
#  mplayer_domain(prefix)    #
##############################

define(`mplayer_domain',`

# Derive from X client domain
x_client_domain($1, `mplayer', `')

# Mplayer common stuff
mplayer_common($1, mplayer)

# Additional rules for search /tmp/.X11-unix
ifdef(`xdm.te', `
allow $1_mplayer_t xdm_tmp_t:dir search;
')dnl end if xdm.te

# Prevent getattr denials on restricted types when browsing with gmplayer
dontaudit $1_mplayer_t file_type:dir_file_class_set { getattr };

# Audio
allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;

# RTC clock 
allow $1_mplayer_t clock_device_t:chr_file { ioctl read };

# Read home directory content
r_dir_file($1_mplayer_t, $1_home_t);
') dnl end mplayer_domain

##############################
#  mencoder_domain(prefix)   #
##############################

define(`mencoder_domain',`

# Privhome type transitions to $1_home_t in home dir.
type $1_mencoder_t, domain, privhome;

# Transition
domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
can_exec($1_mencoder_t, mencoder_exec_t)
role $1_r types $1_mencoder_t;

# Mplayer common stuff
mplayer_common($1, mencoder)

') dnl end mencoder_domain

[-- Attachment #5: mplayer.te --]
[-- Type: text/plain, Size: 397 bytes --]

#DESC mplayer - media player 
#
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
#

# Type for the mplayer executable.
type mplayer_exec_t, file_type, exec_type, sysadmfile;
type mencoder_exec_t, file_type, exec_type, sysadmfile;
type mplayer_etc_t, file_type, sysadmfile;
type win32_lib_t, file_type, sysadmfile;

# Everything else is in the mplayer_domain macro in
# macros/program/mplayer_macros.te.

[-- Attachment #6: types.patch --]
[-- Type: text/x-patch, Size: 466 bytes --]

--- types.fc	2005-01-28 13:21:56.000000000 -0700
+++ types.new	2005-01-28 13:21:45.000000000 -0700
@@ -332,6 +332,7 @@
 #
 /usr(/.*)?			system_u:object_r:usr_t
 /usr(/.*)?/lib(64)?(/.*)?	system_u:object_r:lib_t
+/usr/lib/win32(/.*)?                    system_u:object_r:win32_lib_t
 /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t

Re: [ RESEND ] Fedora Rawhide mplayer policy

[Daniel J Walsh]

Ivan Gyurdiev wrote:

>So, how about this policy again?
>I didn't get too many comments last time.
>Do you find it useful, or have you decided to go with 
>a tunable for reading /dev/rtc.
>
>There's more things involved that reading /dev/rtc, for example, 
>mplayer required execute permissions on /usr/lib/win32,
>which is of type { lib_t } by default. I relabeled it to win32_lib_t.
>The win32 loader needs { execmem }.
>
>Any more comments? 
>Latest version attached.
>It's for selinux-policy-strict-1.21.4-2.
>
>  
>
>------------------------------------------------------------------------
>
>--- base_user_macros.te	2005-01-27 15:02:48.000000000 -0700
>+++ base_user_macros.new	2005-01-27 15:02:20.000000000 -0700
>@@ -188,6 +188,10 @@
> ifdef(`using_spamassassin', `spamassassin_domain($1)')
> ifdef(`uml.te', `uml_domain($1)')
> ifdef(`cdrecord.te', `cdrecord_domain($1)')
>+ifdef(`mplayer.te', `
>+mplayer_domain($1)
>+mencoder_domain($1)
>+')
> 
> # Instantiate a derived domain for user cron jobs.
> ifdef(`crond.te', `crond_domain($1)')
>  
>
>------------------------------------------------------------------------
>
># mplayer
>/usr/bin/mplayer	--	   	system_u:object_r:mplayer_exec_t
>/usr/bin/mencoder	--	   	system_u:object_r:mencoder_exec_t
>
>/etc/mplayer(/.*)?		system_u:object_r:mplayer_etc_t
>HOME_DIR/\.mplayer(/.*)?        system_u:object_r:ROLE_mplayer_rw_t
>  
>
>------------------------------------------------------------------------
>
>#
># Macros for mplayer
>#
># Author: Ivan Gyurdiev <ivg2@cornell.edu>
>#
>#
># mplayer_domain(domain_prefix)
># mencoder_domain(domain_prefix)
>
>################################################
>#    mplayer_common(prefix, mplayer domain)    #
>################################################
>
>define(`mplayer_common',`
>
># Home directory stuff
>if (use_nfs_home_dirs) {
>create_dir_file($1_$2_t, nfs_t)
>}
>if (use_samba_home_dirs) {
>create_dir_file($1_$2_t, cifs_t)
>}
>allow $1_$2_t autofs_t:dir { search getattr };
>
># Read local config
>r_dir_file($1_$2_t, $1_mplayer_rw_t)
>
># Read global config
>r_dir_file($1_$2_t, mplayer_etc_t)
>
># Read data in /usr/share (fonts, icons..)
>r_dir_file($1_$2_t, usr_t)
>
># Read /proc files and directories
># Necessary for /proc/meminfo, /proc/cpuinfo, etc..
>allow $1_$2_t proc_t:dir search;
>allow $1_$2_t proc_t:file { getattr read };
>
># Sysctl on kernel version 
>allow $1_$2_t sysctl_kernel_t:dir search;
>allow $1_$2_t sysctl_kernel_t:file { getattr read };
>
># allow ps
>can_ps($1_t, $1_$2_t)
>
># uses shared libraries
>uses_shlib($1_$2_t)
>
># localization
>read_locale($1_$2_t)
>
># Access the terminal.
>allow $1_$2_t devpts_t:dir { search };
>allow $1_$2_t $1_tty_device_t:chr_file rw_file_perms;
>allow $1_$2_t $1_devpts_t:chr_file rw_file_perms;
>
># Required for win32 binary loader 
>allow $1_$2_t zero_device_t:chr_file { read write execute };
>allow $1_$2_t self:process { execmem };
>allow $1_$2_t win32_lib_t:file rx_file_perms;
>allow $1_$2_t win32_lib_t:dir r_dir_perms;
>
># Access to DVD/CD/V4L
>allow $1_$2_t device_t:dir r_dir_perms;
>allow $1_$2_t device_t:lnk_file { getattr read };
>allow $1_$2_t removable_device_t:blk_file { getattr read };
>allow $1_$2_t v4l_device_t:chr_file { getattr read };
>')
>
>##############################
>#  mplayer_domain(prefix)    #
>##############################
>
>define(`mplayer_domain',`
>
># Derive from X client domain
>x_client_domain($1, `mplayer', `')
>
># Mplayer common stuff
>mplayer_common($1, mplayer)
>
># Additional rules for search /tmp/.X11-unix
>ifdef(`xdm.te', `
>allow $1_mplayer_t xdm_tmp_t:dir search;
>')dnl end if xdm.te
>
># Prevent getattr denials on restricted types when browsing with gmplayer
>dontaudit $1_mplayer_t file_type:dir_file_class_set { getattr };
>
># Audio
>allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
>
># RTC clock 
>allow $1_mplayer_t clock_device_t:chr_file { ioctl read };
>
># Read home directory content
>r_dir_file($1_mplayer_t, $1_home_t);
>') dnl end mplayer_domain
>
>##############################
>#  mencoder_domain(prefix)   #
>##############################
>
>define(`mencoder_domain',`
>
># Privhome type transitions to $1_home_t in home dir.
>type $1_mencoder_t, domain, privhome;
>
># Transition
>domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
>can_exec($1_mencoder_t, mencoder_exec_t)
>role $1_r types $1_mencoder_t;
>
># Mplayer common stuff
>mplayer_common($1, mencoder)
>
>') dnl end mencoder_domain
>  
>
>------------------------------------------------------------------------
>
>#DESC mplayer - media player 
>#
># Author: Ivan Gyurdiev <ivg2@cornell.edu>
>#
>
># Type for the mplayer executable.
>type mplayer_exec_t, file_type, exec_type, sysadmfile;
>type mencoder_exec_t, file_type, exec_type, sysadmfile;
>type mplayer_etc_t, file_type, sysadmfile;
>type win32_lib_t, file_type, sysadmfile;
>
># Everything else is in the mplayer_domain macro in
># macros/program/mplayer_macros.te.
>  
>
>------------------------------------------------------------------------
>
>--- types.fc	2005-01-28 13:21:56.000000000 -0700
>+++ types.new	2005-01-28 13:21:45.000000000 -0700
>@@ -332,6 +332,7 @@
> #
> /usr(/.*)?			system_u:object_r:usr_t
> /usr(/.*)?/lib(64)?(/.*)?	system_u:object_r:lib_t
>+/usr/lib/win32(/.*)?                    system_u:object_r:win32_lib_t
> /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
> /usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
> /usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
>  
>
I will add them.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ RESEND ] Fedora Rawhide mplayer policy

[Ivan Gyurdiev]

> I will add them.

Warning, this creates a problem for xine:

audit(1106946868.187:0): avc:  denied  { search } for  pid=2976
exe=/usr/bin/xine name=win32 dev=dm-0 ino=180195
scontext=user_u:user_r:user_t tcontext=system_u:object_r:win32_lib_t
tclass=dir

I could write a policy for that too, if necessary.

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ RESEND ] Fedora Rawhide mplayer policy

[Daniel J Walsh]

Ivan Gyurdiev wrote:

>>I will add them.
>>    
>>
>
>Warning, this creates a problem for xine:
>
>audit(1106946868.187:0): avc:  denied  { search } for  pid=2976
>exe=/usr/bin/xine name=win32 dev=dm-0 ino=180195
>scontext=user_u:user_r:user_t tcontext=system_u:object_r:win32_lib_t
>tclass=dir
>
>I could write a policy for that too, if necessary.
>
>  
>
Why not label win32_lib_t as being texrel_shlib_t?

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ RESEND ] Fedora Rawhide mplayer policy

[Ivan Gyurdiev]

> Why not label win32_lib_t as being texrel_shlib_t?

It's not a text relocation issue.
It just needs { execute } so I could label it shlib_t.
Should I do that instead?

See, it's a *windows* shared library though, so I thought
it needed to be separated somehow from the elves (hehe..ELFs).

Currently it's marked lib_t. I bet xine gives denials for that too.


-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.