Policy patch for hal

Policy patch for hal

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 233 bytes --]

Hal now is changing the attributes of sound device and video devices so 
userswitching can happen.

It reads and writes raw memory.

It has a new cache directory where it wants to store stuff.

Needs to telinit to change runlevel.



[-- Attachment #2: nsaserefpolicy_policy_modules_services_hal.patch --]
[-- Type: text/x-patch, Size: 2649 bytes --]

--- nsaserefpolicy/policy/modules/services/hal.fc	2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.4/policy/modules/services/hal.fc	2007-02-19 16:01:52.000000000 -0500
@@ -8,4 +8,6 @@
 
 /var/lib/hal(/.*)?				gen_context(system_u:object_r:hald_var_lib_t,s0)
 
+/var/cache/hald(/.*)?				gen_context(system_u:object_r:hald_cache_t,s0)
+
 /var/run/haldaemon.pid	--	 		gen_context(system_u:object_r:hald_var_run_t,s0)
--- nsaserefpolicy/policy/modules/services/hal.te	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.4/policy/modules/services/hal.te	2007-02-20 10:26:38.000000000 -0500
@@ -16,6 +16,9 @@
 type hald_var_run_t;
 files_pid_file(hald_var_run_t)
 
+type hald_cache_t;
+files_pid_file(hald_cache_t)
+
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
 
@@ -25,8 +28,8 @@
 #
 
 # execute openvt which needs setuid
-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
-dontaudit hald_t self:capability sys_tty_config;
+allow hald_t self:capability { chown fowner setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
 allow hald_t self:process signal_perms;
 allow hald_t self:fifo_file rw_fifo_file_perms;
 allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -51,6 +54,8 @@
 manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
 files_pid_filetrans(hald_t,hald_var_run_t,file)
 
+manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
+
 kernel_read_system_state(hald_t)
 kernel_read_network_state(hald_t)
 kernel_read_kernel_sysctls(hald_t)
@@ -85,9 +90,15 @@
 dev_rw_power_management(hald_t)
 # hal is now execing pm-suspend
 dev_rw_sysfs(hald_t)
+dev_read_sound(hald_t)
+dev_write_sound(hald_t)
+dev_read_raw_memory(hald_t)
+dev_write_raw_memory(hald_t)
+dev_setattr_video_dev(hald_t)
 
 domain_use_interactive_fds(hald_t)
 domain_read_all_domains_state(hald_t)
+domain_dontaudit_ptrace_all_domains(hald_t)
 
 files_exec_etc_files(hald_t)
 files_read_etc_files(hald_t)
@@ -101,6 +112,7 @@
 files_create_boot_flag(hald_t)
 files_getattr_all_dirs(hald_t)
 files_read_kernel_img(hald_t)
+files_rw_lock_dirs(hald_t)
 
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
@@ -130,10 +142,10 @@
 init_use_fds(hald_t)
 init_use_script_ptys(hald_t)
 init_domtrans_script(hald_t)
-init_write_initctl(hald_t)
 init_read_utmp(hald_t)
 #hal runs shutdown, probably need a shutdown domain
 init_rw_utmp(hald_t)
+init_telinit(hald_t)
 
 libs_use_ld_so(hald_t)
 libs_use_shared_libs(hald_t)

Re: Policy patch for hal

[Christopher J. PeBenito]

On Tue, 2007-02-20 at 11:54 -0500, Daniel J Walsh wrote:
> Hal now is changing the attributes of sound device and video devices so 
> userswitching can happen.
> 
> It reads and writes raw memory.

This is disappointing.  With this and raw disk access, hal is basically
unconfined.  Is there any chance we can figure out what these perms are
tied to so they could potentially be made conditional?

> It has a new cache directory where it wants to store stuff.
> 
> Needs to telinit to change runlevel.
> 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy patch for hal

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Tue, 2007-02-20 at 11:54 -0500, Daniel J Walsh wrote:
>   
>> Hal now is changing the attributes of sound device and video devices so 
>> userswitching can happen.
>>
>> It reads and writes raw memory.
>>     
>
> This is disappointing.  With this and raw disk access, hal is basically
> unconfined.  Is there any chance we can figure out what these perms are
> tied to so they could potentially be made conditional?
>   
We are beginning to break it up, so some sub packages of hal (hal_acl) 
have different powers,  but the nature of the tool is going to give it 
lots of power.
>   
>> It has a new cache directory where it wants to store stuff.
>>
>> Needs to telinit to change runlevel.
>>
>>
>>     


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.