All of lore.kernel.org
 help / color / mirror / Atom feed
* Policy patch for hal
@ 2007-02-20 16:54 Daniel J Walsh
  2007-02-26 19:32 ` Christopher J. PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2007-02-20 16:54 UTC (permalink / raw)
  To: Christopher J. PeBenito, SE Linux

[-- Attachment #1: Type: text/plain, Size: 233 bytes --]

Hal now is changing the attributes of sound device and video devices so 
userswitching can happen.

It reads and writes raw memory.

It has a new cache directory where it wants to store stuff.

Needs to telinit to change runlevel.



[-- Attachment #2: nsaserefpolicy_policy_modules_services_hal.patch --]
[-- Type: text/x-patch, Size: 2649 bytes --]

--- nsaserefpolicy/policy/modules/services/hal.fc	2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.4/policy/modules/services/hal.fc	2007-02-19 16:01:52.000000000 -0500
@@ -8,4 +8,6 @@
 
 /var/lib/hal(/.*)?				gen_context(system_u:object_r:hald_var_lib_t,s0)
 
+/var/cache/hald(/.*)?				gen_context(system_u:object_r:hald_cache_t,s0)
+
 /var/run/haldaemon.pid	--	 		gen_context(system_u:object_r:hald_var_run_t,s0)
--- nsaserefpolicy/policy/modules/services/hal.te	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.4/policy/modules/services/hal.te	2007-02-20 10:26:38.000000000 -0500
@@ -16,6 +16,9 @@
 type hald_var_run_t;
 files_pid_file(hald_var_run_t)
 
+type hald_cache_t;
+files_pid_file(hald_cache_t)
+
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
 
@@ -25,8 +28,8 @@
 #
 
 # execute openvt which needs setuid
-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
-dontaudit hald_t self:capability sys_tty_config;
+allow hald_t self:capability { chown fowner setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
 allow hald_t self:process signal_perms;
 allow hald_t self:fifo_file rw_fifo_file_perms;
 allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -51,6 +54,8 @@
 manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
 files_pid_filetrans(hald_t,hald_var_run_t,file)
 
+manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
+
 kernel_read_system_state(hald_t)
 kernel_read_network_state(hald_t)
 kernel_read_kernel_sysctls(hald_t)
@@ -85,9 +90,15 @@
 dev_rw_power_management(hald_t)
 # hal is now execing pm-suspend
 dev_rw_sysfs(hald_t)
+dev_read_sound(hald_t)
+dev_write_sound(hald_t)
+dev_read_raw_memory(hald_t)
+dev_write_raw_memory(hald_t)
+dev_setattr_video_dev(hald_t)
 
 domain_use_interactive_fds(hald_t)
 domain_read_all_domains_state(hald_t)
+domain_dontaudit_ptrace_all_domains(hald_t)
 
 files_exec_etc_files(hald_t)
 files_read_etc_files(hald_t)
@@ -101,6 +112,7 @@
 files_create_boot_flag(hald_t)
 files_getattr_all_dirs(hald_t)
 files_read_kernel_img(hald_t)
+files_rw_lock_dirs(hald_t)
 
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
@@ -130,10 +142,10 @@
 init_use_fds(hald_t)
 init_use_script_ptys(hald_t)
 init_domtrans_script(hald_t)
-init_write_initctl(hald_t)
 init_read_utmp(hald_t)
 #hal runs shutdown, probably need a shutdown domain
 init_rw_utmp(hald_t)
+init_telinit(hald_t)
 
 libs_use_ld_so(hald_t)
 libs_use_shared_libs(hald_t)

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-02-26 20:55 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-02-20 16:54 Policy patch for hal Daniel J Walsh
2007-02-26 19:32 ` Christopher J. PeBenito
2007-02-26 20:56   ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.