* [refpolicy] [ plymouth patch 1/1] Implement plymouth policy.
@ 2010-03-21 21:35 Dominick Grift
0 siblings, 0 replies; only message in thread
From: Dominick Grift @ 2010-03-21 21:35 UTC (permalink / raw)
To: refpolicy
I noticed that Fedoras' patch for plymouth was not adopted yet, and since i want to
merge it to my custom policy i decided to make some modifications to it in the process.
On the off chance that this patch improves chances of it to get adopted i submit it.
Be aware that some modifications i made are purely guess work (it does build though).
When i run refpolicy without the unconfined domain on a Fedora 13 system though, i get many AVC denials for kernel_t
where it is executing plymouth commands somewhere really early in the boot process. I wonder
how Fedora got that to work in say policy-MLS.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 0352a19... cc054b5... M policy/modules/kernel/kernel.if
:100644 100644 2aa3808... ef8f249... M policy/modules/services/hal.if
:000000 100644 0000000... 0138640... A policy/modules/services/plymouth.fc
:000000 100644 0000000... d65c7c2... A policy/modules/services/plymouth.if
:000000 100644 0000000... 5391e59... A policy/modules/services/plymouth.te
:100644 100644 8dc6d81... 71643bc... M policy/modules/services/xserver.te
:100644 100644 362614c... 5daaf88... M policy/modules/system/logging.fc
policy/modules/kernel/kernel.if | 19 ++
policy/modules/services/hal.if | 2 +-
policy/modules/services/plymouth.fc | 9 +
policy/modules/services/plymouth.if | 339 +++++++++++++++++++++++++++++++++++
policy/modules/services/plymouth.te | 103 +++++++++++
policy/modules/services/xserver.te | 5 +
policy/modules/system/logging.fc | 1 +
7 files changed, 477 insertions(+), 1 deletions(-)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 0352a19..cc054b5 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2807,3 +2807,22 @@ interface(`kernel_unconfined',`
typeattribute $1 kern_unconfined;
')
+
+########################################
+## <summary>
+## Connect to the kernel on a unix
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_stream_connect',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index 2aa3808..ef8f249 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -115,7 +115,7 @@ interface(`hal_dontaudit_use_fds',`
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
diff --git a/policy/modules/services/plymouth.fc b/policy/modules/services/plymouth.fc
new file mode 100644
index 0000000..0138640
--- /dev/null
+++ b/policy/modules/services/plymouth.fc
@@ -0,0 +1,9 @@
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0)
+
+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t, s0)
+
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0)
+
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
+
+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t, s0)
diff --git a/policy/modules/services/plymouth.if b/policy/modules/services/plymouth.if
new file mode 100644
index 0000000..d65c7c2
--- /dev/null
+++ b/policy/modules/services/plymouth.if
@@ -0,0 +1,339 @@
+## <summary>Plymouth graphical boot animation and logger.</summary>
+## <desc>
+## <p>
+## Plymouth is an application that runs very early in the
+## boot process (even before the root filesystem is mounted!)
+## that provides a graphical boot animation while the boot
+## process happens in the background.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## plymouthd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans',`
+ gen_require(`
+ type plymouthd_t, plymouthd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
+')
+
+########################################
+## <summary>
+## Execute the plymouth command in the
+## current domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec_plymouth',`
+ gen_require(`
+ type plymouth_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, plymouth_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## plymouth.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans_plymouth',`
+ gen_require(`
+ type plymouth_t, plymouth_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, plymouth_exec_t, plymouth_t)
+')
+
+########################################
+## <summary>
+## Execute the plymouth daemon in the
+## current domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec',`
+ gen_require(`
+ type plymouthd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, plymouthd_exec_t)
+')
+
+########################################
+## <summary>
+## Manage plymouthd var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_var_run',`
+ gen_require(`
+ type plymouthd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+ manage_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+ manage_lnk_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+')
+
+########################################
+## <summary>
+## Read plymouthd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_read_pid_files',`
+ gen_require(`
+ type plymouthd_var_run_t;
+ ')
+
+ # where is it. If it is in /var/run/plymouth.pid; then we need a fc spec.
+ files_search_pids($1)
+ read_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+')
+
+########################################
+## <summary>
+## Search plymouthd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_search_lib',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 plymouthd_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## plymouthd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_lib_files',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read plymouthd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_read_lib_files',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage plymouthd var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_var_lib',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ manage_lnk_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## plymouthd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_spool_files',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## Manage plymouthd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_spool',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+ manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+ manage_lnk_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## Read plymouthd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_read_spool_files',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## Search plymouthd spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_search_spool',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 plymouthd_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an plymouthd environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`plymouthd_admin',`
+ gen_require(`
+ type plymouthd_t;
+ ')
+
+ allow $1 plymouthd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, plymouthd_t, plymouthd_t)
+
+ plymouthd_manage_spool($1)
+ plymouthd_manage_var_lib($1)
+ plymouthd_manage_var_run($1)
+')
+
+########################################
+## <summary>
+## Connect to Plymouth daemon on
+## unix stream socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_stream_connect',`
+ gen_require(`
+ type plymouthd_t, plymouthd_spool_t;
+ ')
+
+ # Assuming it connects to Plymouthd on a socket.
+ files_search_spool($1)
+ stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
+')
diff --git a/policy/modules/services/plymouth.te b/policy/modules/services/plymouth.te
new file mode 100644
index 0000000..5391e59
--- /dev/null
+++ b/policy/modules/services/plymouth.te
@@ -0,0 +1,103 @@
+
+policy_module(plymouth, 1.0.0)
+
+########################################
+#
+# Plymouthd personal declarations.
+#
+
+type plymouthd_t;
+type plymouthd_exec_t;
+init_daemon_domain(plymouthd_t, plymouthd_exec_t)
+
+type plymouthd_var_run_t;
+files_pid_file(plymouthd_var_run_t)
+
+type plymouthd_var_lib_t;
+files_type(plymouthd_var_lib_t)
+
+type plymouthd_spool_t;
+files_type(plymouthd_spool_t)
+
+########################################
+#
+# Plymouth personal declarations.
+#
+
+type plymouth_t;
+type plymouth_exec_t;
+application_domain(plymouth_t, plymouth_exec_t)
+
+########################################
+#
+# Plymouthd personal policy.
+#
+
+allow plymouthd_t self:capability { sys_admin sys_tty_config };
+dontaudit plymouthd_t self:capability dac_override;
+allow plymouthd_t self:process signal;
+allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+
+manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+
+kernel_change_ring_buffer_level(plymouthd_t)
+kernel_read_system_state(plymouthd_t)
+kernel_request_load_module(plymouthd_t)
+
+dev_read_framebuffer(plymouthd_t)
+dev_read_sysfs(plymouthd_t)
+dev_rw_dri(plymouthd_t)
+dev_write_framebuffer(plymouthd_t)
+
+domain_use_interactive_fds(plymouthd_t)
+
+files_read_etc_files(plymouthd_t)
+files_read_usr_files(plymouthd_t)
+
+miscfiles_manage_fonts_cache(plymouthd_t)
+miscfiles_read_fonts(plymouthd_t)
+miscfiles_read_localization(plymouthd_t)
+
+########################################
+#
+# Plymouth personal policy.
+#
+
+allow plymouth_t self:process signal;
+allow plymouth_t self:fifo_file rw_file_perms;
+allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(plymouth_t)
+kernel_stream_connect(plymouth_t)
+
+domain_use_interactive_fds(plymouth_t)
+
+files_read_etc_files(plymouth_t)
+
+miscfiles_read_localization(plymouth_t)
+
+sysnet_read_config(plymouth_t)
+
+term_use_ptmx(plymouth_t)
+
+plymouthd_stream_connect(plymouth_t)
+
+optional_policy(`
+ lvm_domtrans(plymouth_t)
+')
+
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ hal_dontaudit_rw_pipes(plymouth_t)
+ hal_dontaudit_write_log(plymouth_t)
+ ')
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8dc6d81..71643bc 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -543,6 +543,11 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_exec_plymouth(xdm_t)
+ plymouthd_search_spool(xdm_t)
+')
+
+optional_policy(`
resmgr_stream_connect(xdm_t)
')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 362614c..5daaf88 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -65,6 +65,7 @@ ifdef(`distro_redhat',`
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
+# Is this still required?
/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100321/34180cb4/attachment.bin
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2010-03-21 21:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-21 21:35 [refpolicy] [ plymouth patch 1/1] Implement plymouth policy Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.