[refpolicy] Fedora patch on tcsd.

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] Fedora patch on tcsd.
@ 2011-02-08 22:00 Daniel J Walsh
  2011-02-15 15:37 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Daniel J Walsh @ 2011-02-08 22:00 UTC (permalink / raw)
  To: refpolicy


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tcsd.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110208/fa261422/attachment.pl 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcsd.patch.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110208/fa261422/attachment.bin 

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [refpolicy] Fedora patch on tcsd.
  2011-02-08 22:00 [refpolicy] Fedora patch on tcsd Daniel J Walsh
@ 2011-02-15 15:37 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2011-02-15 15:37 UTC (permalink / raw)
  To: refpolicy

On 2/8/2011 5:00 PM, Daniel J Walsh wrote:
> diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc
> index 8a473e7..7fdda14 100644
> --- a/policy/modules/services/tcsd.fc
> +++ b/policy/modules/services/tcsd.fc
> @@ -1,3 +1,6 @@
> +/etc/rc\.d/init\.d/tcsd	--	gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
> +
>  /usr/sbin/tcsd		--	gen_context(system_u:object_r:tcsd_exec_t,s0)
> +
>  /var/lib/tpm(/.*)?		gen_context(system_u:object_r:tcsd_var_lib_t,s0)
>
> diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if
> index e814f69..f7d6fa3 100644
> --- a/policy/modules/services/tcsd.if
> +++ b/policy/modules/services/tcsd.if
> @@ -1 +1,153 @@
>  ## <summary>TSS Core Services (TCS) daemon (tcsd) policy</summary>
> +
> +########################################
> +## <summary>
> +##	Execute a domain transition to run tcsd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##	Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`tcsd_domtrans',`
> +	gen_require(`
> +		type tcsd_t, tcsd_exec_t;
> +	')
> +
> +	domtrans_pattern($1, tcsd_exec_t, tcsd_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +##	Execute tcsd server in the tcsd domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_initrc_domtrans',`
> +	gen_require(`
> +		type tcsd_initrc_exec_t;
> +	')
> +
> +	init_labeled_script_domtrans($1, tcsd_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Search tcsd lib directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_search_lib',`
> +	gen_require(`
> +		type tcsd_var_lib_t;
> +	')
> +
> +	allow $1 tcsd_var_lib_t:dir search_dir_perms;
> +	files_search_var_lib($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Read tcsd lib files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_read_lib_files',`
> +	gen_require(`
> +		type tcsd_var_lib_t;
> +	')
> +
> +	files_search_var_lib($1)
> +        read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Create, read, write, and delete
> +##	tcsd lib files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_manage_lib_files',`
> +	gen_require(`
> +		type tcsd_var_lib_t;
> +	')
> +
> +	files_search_var_lib($1)
> +        manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage tcsd lib dirs files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_manage_lib_dirs',`
> +	gen_require(`
> +		type tcsd_var_lib_t;
> +	')
> +
> +	files_search_var_lib($1)
> +        manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +##	All of the rules required to administrate
> +##	an tcsd environment
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`tcsd_admin',`
> +	gen_require(`
> +		type tcsd_t;
> +		type tcsd_initrc_exec_t;
> +                type tcsd_var_lib_t;
> +	')
> +
> +	allow $1 tcsd_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, tcsd_t)
> +
> +	tcsd_initrc_domtrans($1)
> +	domain_system_change_exemption($1)
> +	role_transition $2 tcsd_initrc_exec_t system_r;
> +	allow $2 system_r;
> +
> +	files_search_var_lib($1)
> +	admin_pattern($1, tcsd_var_lib_t)
> +
> +')
> diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te
> index f17dafd..30d2c75 100644
> --- a/policy/modules/services/tcsd.te
> +++ b/policy/modules/services/tcsd.te
> @@ -10,7 +10,9 @@ type tcsd_exec_t;
>  domain_type(tcsd_t)
>  init_daemon_domain(tcsd_t, tcsd_exec_t)
>
> -# /var/lib/tpm
> +type tcsd_initrc_exec_t;
> +init_script_file(tcsd_initrc_exec_t)
> +
>  type tcsd_var_lib_t;
>  files_type(tcsd_var_lib_t)
>
> @@ -23,26 +25,24 @@ allow tcsd_t self:capability { dac_override setuid };
>  allow tcsd_t self:process { signal sigkill };
>  allow tcsd_t self:tcp_socket create_stream_socket_perms;
>
> -# var/lib files for tcsd
>  manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
>  manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
>  files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir })
>
> -# Accept connections on the TCS port over loopback.
>  corenet_all_recvfrom_unlabeled(tcsd_t)
>  corenet_tcp_bind_generic_node(tcsd_t)
>  corenet_tcp_bind_tcs_port(tcsd_t)
>
>  dev_read_urand(tcsd_t)
> -# Access /dev/tpm0.
>  dev_rw_tpm(tcsd_t)
>
>  files_read_etc_files(tcsd_t)
>  files_read_usr_files(tcsd_t)
>
> -# Log messages via syslog.
> +auth_use_nsswitch(tcsd_t)
> +
>  logging_send_syslog_msg(tcsd_t)
>
>  miscfiles_read_localization(tcsd_t)
>
> -sysnet_read_config(tcsd_t)
> +sysnet_dns_name_resolve(tcsd_t)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-02-15 15:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-08 22:00 [refpolicy] Fedora patch on tcsd Daniel J Walsh
2011-02-15 15:37 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.