From: Daniel J Walsh <dwalsh@redhat.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>,
SE Linux <selinux@tycho.nsa.gov>
Subject: Hal fixes
Date: Thu, 19 Apr 2007 11:26:13 -0400 [thread overview]
Message-ID: <46278A15.60706@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 45 bytes --]
Break hal apart by adding three new domains.
[-- Attachment #2: hal.patch --]
[-- Type: text/x-patch, Size: 8487 bytes --]
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.12/policy/modules/services/hal.fc 2007-04-11 17:07:34.000000000 -0400
@@ -8,4 +8,12 @@
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
+/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
+
/var/run/haldaemon.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
+
+/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0)
+/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
+
+/var/log/pm-suspend.log gen_context(system_u:object_r:hald_log_t,s0)
--- nsaserefpolicy/policy/modules/services/hal.if 2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.12/policy/modules/services/hal.if 2007-04-16 11:36:25.000000000 -0400
@@ -208,3 +208,42 @@
files_search_pids($1)
allow $1 hald_var_run_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Do not audit attempts to write the hal
+## log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`hal_dontaudit_write_log',`
+ gen_require(`
+ type hald_log_t;
+ ')
+
+ dontaudit $1 hald_log_t:file { append write };
+')
+
+########################################
+## <summary>
+## Allow attempts to write the hal
+## log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`hal_write_log',`
+ gen_require(`
+ type hald_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 hald_log_t:file rw_file_perms;
+')
--- nsaserefpolicy/policy/modules/services/hal.te 2007-03-20 23:38:00.000000000 -0400
+++ serefpolicy-2.5.12/policy/modules/services/hal.te 2007-04-19 09:51:36.000000000 -0400
@@ -16,9 +16,33 @@
type hald_var_run_t;
files_pid_file(hald_var_run_t)
+type hald_cache_t;
+files_pid_file(hald_cache_t)
+
type hald_var_lib_t;
files_type(hald_var_lib_t)
+type hald_log_t;
+files_type(hald_log_t)
+
+type hald_acl_t;
+type hald_acl_exec_t;
+domain_type(hald_acl_t)
+domain_entry_file(hald_acl_t,hald_acl_exec_t)
+role system_r types hald_acl_t;
+
+type hald_mac_t;
+type hald_mac_exec_t;
+domain_type(hald_mac_t)
+domain_entry_file(hald_mac_t,hald_mac_exec_t)
+role system_r types hald_mac_t;
+
+type hald_sonypic_t;
+type hald_sonypic_exec_t;
+domain_type(hald_sonypic_t)
+domain_entry_file(hald_sonypic_t,hald_sonypic_exec_t)
+role system_r types hald_sonypic_t;
+
########################################
#
# Local policy
@@ -26,7 +50,7 @@
# execute openvt which needs setuid
allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
-dontaudit hald_t self:capability sys_tty_config;
+dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
allow hald_t self:process signal_perms;
allow hald_t self:fifo_file rw_fifo_file_perms;
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -48,14 +72,20 @@
manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
+# var/log files for hald
+allow hald_t hald_log_t:file manage_file_perms;
+logging_log_filetrans(hald_t,hald_log_t,file)
+
manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
files_pid_filetrans(hald_t,hald_var_run_t,file)
+manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
+
kernel_read_system_state(hald_t)
kernel_read_network_state(hald_t)
-kernel_read_kernel_sysctls(hald_t)
+kernel_rw_kernel_sysctl(hald_t)
kernel_read_fs_sysctls(hald_t)
-kernel_read_irq_sysctls(hald_t)
+kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
@@ -85,9 +115,13 @@
dev_rw_power_management(hald_t)
# hal is now execing pm-suspend
dev_rw_sysfs(hald_t)
+dev_read_sound(hald_t)
+dev_write_sound(hald_t)
+dev_read_raw_memory(hald_t)
domain_use_interactive_fds(hald_t)
domain_read_all_domains_state(hald_t)
+domain_dontaudit_ptrace_all_domains(hald_t)
files_exec_etc_files(hald_t)
files_read_etc_files(hald_t)
@@ -101,9 +135,11 @@
files_create_boot_flag(hald_t)
files_getattr_all_dirs(hald_t)
files_read_kernel_img(hald_t)
+files_rw_lock_dirs(hald_t)
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
+fs_list_inotifyfs(hald_t)
fs_list_auto_mountpoints(hald_t)
files_getattr_all_mountpoints(hald_t)
@@ -128,10 +164,10 @@
auth_use_nsswitch(hald_t)
init_domtrans_script(hald_t)
-init_write_initctl(hald_t)
init_read_utmp(hald_t)
#hal runs shutdown, probably need a shutdown domain
init_rw_utmp(hald_t)
+init_telinit(hald_t)
libs_use_ld_so(hald_t)
libs_use_shared_libs(hald_t)
@@ -160,6 +196,10 @@
')
optional_policy(`
+ alsa_read_rw_config(hald_t)
+')
+
+optional_policy(`
bootloader_domtrans(hald_t)
')
@@ -245,3 +285,102 @@
optional_policy(`
vbetool_domtrans(hald_t)
')
+
+########################################
+#
+# Local hald acl policy
+#
+
+allow hald_acl_t self:capability { dac_override fowner };
+allow hald_acl_t self : fifo_file read_fifo_file_perms;
+
+domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
+allow hald_t hald_acl_t : process signal;
+allow hald_acl_t hald_t : unix_stream_socket connectto;
+manage_dirs_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
+manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
+
+corecmd_exec_bin(hald_acl_t)
+
+dev_getattr_all_chr_files(hald_acl_t)
+dev_getattr_generic_usb_dev(hald_acl_t)
+dev_getattr_video_dev(hald_acl_t)
+dev_setattr_video_dev(hald_acl_t)
+dev_getattr_sound_dev(hald_acl_t)
+dev_setattr_sound_dev(hald_acl_t)
+dev_setattr_generic_usb_dev(hald_acl_t)
+dev_setattr_usbfs_files(hald_acl_t)
+
+libs_use_ld_so(hald_acl_t)
+libs_use_shared_libs(hald_acl_t)
+
+files_search_var_lib(hald_acl_t)
+files_read_usr_files(hald_acl_t)
+files_read_etc_files(hald_acl_t)
+
+storage_getattr_removable_dev(hald_acl_t)
+storage_setattr_removable_dev(hald_acl_t)
+
+miscfiles_read_localization(hald_acl_t)
+
+auth_use_nsswitch(hald_acl_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_console(hald_acl_t)
+ term_dontaudit_use_generic_ptys(hald_acl_t)
+')
+
+########################################
+#
+# Local hald mac policy
+#
+
+domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
+allow hald_t hald_mac_t : process signal;
+allow hald_mac_t hald_t : unix_stream_socket connectto;
+
+files_search_var_lib(hald_mac_t)
+manage_dirs_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
+manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
+
+libs_use_ld_so(hald_mac_t)
+libs_use_shared_libs(hald_mac_t)
+
+files_read_usr_files(hald_mac_t)
+
+dev_write_raw_memory(hald_mac_t)
+
+miscfiles_read_localization(hald_mac_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_console(hald_mac_t)
+ term_dontaudit_use_generic_ptys(hald_mac_t)
+')
+
+########################################
+#
+# Local hald sonypic policy
+#
+
+domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t)
+allow hald_t hald_sonypic_t : process signal;
+allow hald_sonypic_t hald_t : unix_stream_socket connectto;
+
+dev_read_video_dev(hald_sonypic_t)
+dev_write_video_dev(hald_sonypic_t)
+
+files_search_var_lib(hald_sonypic_t)
+manage_dirs_pattern(hald_sonypic_t,hald_var_lib_t,hald_var_lib_t)
+manage_files_pattern(hald_sonypic_t,hald_var_lib_t,hald_var_lib_t)
+
+libs_use_ld_so(hald_sonypic_t)
+libs_use_shared_libs(hald_sonypic_t)
+
+files_read_usr_files(hald_sonypic_t)
+
+miscfiles_read_localization(hald_sonypic_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_console(hald_sonypic_t)
+ term_dontaudit_use_generic_ptys(hald_sonypic_t)
+')
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2007-02-19 11:32:54.000000000 -0500
+++ serefpolicy-2.5.12/policy/modules/admin/bootloader.te 2007-04-16 11:36:34.000000000 -0400
@@ -187,6 +189,7 @@
optional_policy(`
hal_dontaudit_append_lib_files(bootloader_t)
+ hal_dontaudit_write_log(bootloader_t)
')
optional_policy(`
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-04-10 12:52:58.000000000 -0400
+++ serefpolicy-2.5.12/policy/modules/services/ntp.te 2007-04-11 17:07:34.000000000 -0400
@@ -137,6 +137,10 @@
')
optional_policy(`
+ hal_dontaudit_write_log(ntpd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(ntpd_t)
')
next reply other threads:[~2007-04-19 15:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-19 15:26 Daniel J Walsh [this message]
2007-05-07 17:52 ` Hal fixes Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46278A15.60706@redhat.com \
--to=dwalsh@redhat.com \
--cc=cpebenito@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.