[refpolicy] Adding support for the vlock program

From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Adding support for the vlock program
Date: Wed, 27 Oct 2010 12:32:21 +0200	[thread overview]
Message-ID: <4CC7FFB5.3070600@gmail.com> (raw)
In-Reply-To: <SNT139-w5651A127E6684B25031C11AB430@phx.gbl>

On 10/27/2010 10:58 AM, TaurusHarry wrote:
> 
> Hi Dom,
> 
> Many thanks for your reviewing my patch, I have integrated your suggestions and the attached is the v1 version for the vlock.pp.

looks like you have missed my first reply with suggestions:

http://oss.tresys.com/pipermail/refpolicy/2010-October/003425.html:


> Thanks again,
> Harry
> 
> 
> 
> Date: Tue, 26 Oct 2010 14:41:31 +0200
> From: domg472 at gmail.com
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] Adding support for the vlock program
> 
> On Tue, Oct 26, 2010 at 09:40:52AM +0000, TaurusHarry wrote:
>>
>> Hi refpolicy experts,
>>
>> I have tried to developed a vlock.pp in order to run the vlock program(2.2.2 version) on top of the latest refpolicy git tree, please see the attachment.
>>
>> I am testing on a qemu environment, the system administrator and unprivileged user could login from serial console or by ssh, both could use the vlock command to lock his current console successfully.
>>
>> How could I contribute it back to the refpolicy git tree?
>>
>> Any comment is greatly appreciated!
>  
> Some more pretty insignificant cosmetic suggestions inline.
>>
>> Best regards,
>> Harry
>>  		 	   		  
>  
>> From ad4692423bcb1e10d5b9f146eab86de09b37dbb3 Mon Sep 17 00:00:00 2001
>> From: Harry Ciao <qingtao.cao@windriver.com>
>> Date: Tue, 26 Oct 2010 14:34:11 +0800
>> Subject: [PATCH] Adding support for the vlock program
>>
>> Adding support for the vlock program.
>>
>> Tested on vlock-2.2.2, both system administrator and unprivileged user
>> could make use of vlock to lock his console successfully.
>>
>> Signed-off-by: Harry Ciao <harrytaurus2002@hotmail.com>
>> ---
>>  policy/modules/apps/vlock.fc        |    1 +
>>  policy/modules/apps/vlock.if        |   48 ++++++++++++++++++++++++++
>>  policy/modules/apps/vlock.te        |   63 +++++++++++++++++++++++++++++++++++
>>  policy/modules/system/userdomain.if |    2 +
>>  4 files changed, 114 insertions(+), 0 deletions(-)
>>  create mode 100644 policy/modules/apps/vlock.fc
>>  create mode 100644 policy/modules/apps/vlock.if
>>  create mode 100644 policy/modules/apps/vlock.te
>>
>> diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc
>> new file mode 100644
>> index 0000000..621d5fd
>> --- /dev/null
>> +++ b/policy/modules/apps/vlock.fc
>> @@ -0,0 +1 @@
>> +/usr/sbin/vlock-main	--	gen_context(system_u:object_r:vlock_exec_t,s0)
>> diff --git a/policy/modules/apps/vlock.if b/policy/modules/apps/vlock.if
>> new file mode 100644
>> index 0000000..259575e
>> --- /dev/null
>> +++ b/policy/modules/apps/vlock.if
>> @@ -0,0 +1,48 @@
>> +## <summary>Policy for the vlock program.</summary>
>  
> Try to put something meaningful in the summary we already know its policy so thats redundant. try something like:
>  
> "Lock one or more sessions on the Linux console."
>  
>> +
>> +#######################################
>> +## <summary>
>> +## 	Execute vlock in the vlock domain.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>  
> Domain allowed to transition.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`vlock_domtrans_vlock',`
>> +	gen_require(`
>> +		type vlock_t, vlock_exec_t;
>> +	')
>> +
>> +	files_search_usr($1)
>> +	corecmd_search_bin($1)
>> +	domtrans_pattern($1, vlock_exec_t, vlock_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Execute vlock in the vlock domain, and
>> +##	allow the specified role the vlock domain,
>> +##	and use the caller's terminal.
>  
> That use the callers terminal is not applicable here.
>  
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>  
> Again: Domain allowed to transition.
>> +##	</summary>
>> +## </param>
>> +## <param name="role">
>> +##	<summary>
>> +##	The role to be allowed the vlock domain.
>  
> We currently use just: Role allowed access.
>> +##	</summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`vlock_run_vlock',`
>> +	gen_require(`
>> +		type vlock_t;
>> +	')
>> +
>> +	vlock_domtrans_vlock($1)
>> +	role $2 types vlock_t;
>> +')
>> diff --git a/policy/modules/apps/vlock.te b/policy/modules/apps/vlock.te
>> new file mode 100644
>> index 0000000..f0fa315
>> --- /dev/null
>> +++ b/policy/modules/apps/vlock.te
>> @@ -0,0 +1,63 @@
>> +policy_module(vlock, 1.0.0)
>> +
>> +########################################
>> +#
>> +# Declarations
>> +#
>> +
>> +type vlock_t;
>> +type vlock_exec_t;
>> +application_domain(vlock_t,vlock_exec_t)
>> +
>> +
>> +########################################
>> +#
>> +# Vlock local policy
>> +#
>> +
>> +allow vlock_t self:fd use;
>> +allow vlock_t self:fifo_file rw_fifo_file_perms;
>> +allow vlock_t self:unix_dgram_socket { create connect };
>> +allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
>> +
>> +# dont audit the failed attempt of vlock_t to setuid/setgid, because
>> +# 1. we used --enable_pam for vlock to use PAM to authenticate passwd
>> +# 2. no guarantee that to make vlock setuid is safe
>> +dontaudit vlock_t self:capability { setuid setgid };
>> +
>> +kernel_read_system_state(vlock_t)
>> +
>> +corecmd_list_bin(vlock_t)
>> +corecmd_read_bin_symlinks(vlock_t)
>> +
>> +files_read_etc_files(vlock_t)
>> +files_read_var_files(vlock_t)
>> +files_read_var_symlinks(vlock_t)
>> +
>> +init_rw_utmp(vlock_t)
>> +
>> +term_use_all_user_ttys(vlock_t)
>> +term_use_all_user_ptys(vlock_t)
>> +userdom_use_user_terminals(vlock_t)
>> +
>> +# Must call this interface otherwise PAM session will fail
>> +# with message of "terminal=? res=failed"
>> +domain_use_interactive_fds(vlock_t)
>> +
>> +auth_domtrans_chk_passwd(vlock_t)
>> +
>> +miscfiles_read_localization(vlock_t)
>> +
>> +logging_send_syslog_msg(vlock_t)
>> +
>> +selinux_getattr_fs(vlock_t)
>> +
>> +# When MLS enabled and vlock PAM config file using pam_tally2 module,
>> +# if the caller's security level is > s0, the vlock domain should be able
>> +# to write into /var/log/tallylog file which is s0.
>> +mls_file_write_all_levels(vlock_t)
>> +
>> +# vlock could be used successfully without the search permissions on
>> +# home_root_t or user_home_dir_t, suppress the related error messages.
>> +files_dontaudit_search_home(vlock_t)
>> +userdom_dontaudit_search_user_home_dirs(vlock_t)
>> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
>> index 35f1476..d1bd453 100644
>> --- a/policy/modules/system/userdomain.if
>> +++ b/policy/modules/system/userdomain.if
>> @@ -565,6 +565,8 @@ template(`userdom_common_user_template',`
>>  	# to this one.
>>  	seutil_dontaudit_signal_newrole($1_t)
>>  
>> +	vlock_run_vlock($1_t,$1_r)
>> +
>>  	tunable_policy(`user_direct_mouse',`
>>  		dev_read_mouse($1_t)
>>  	')
>> -- 
>> 1.7.0.4
>>
>  
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>  
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy 		 	   		  


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101027/407058cb/attachment.bin