All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy]  [PATCH] boinc - latest version and terminal checks
@ 2016-07-30 10:21 Russell Coker
  2016-07-30 20:26 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2016-07-30 10:21 UTC (permalink / raw)
  To: refpolicy

The following patch makes some changes for the latest versions of BOINC for
the pathnames of the executable and logs.

Makes global_prefs_override.xml writable by the daemon as it changes that
in response to commands from the boincmgr program.

Allows it to stat device nodes for terminals and mouse so it will know when
the system is idle.

Added term_getattr_generic_ptys interface for stating unused terminal devices.

diff -ru pol-git.orig/policy/modules/contrib/boinc.fc pol-git/policy/modules/contrib/boinc.fc
--- pol-git.orig/policy/modules/contrib/boinc.fc	2016-07-30 08:13:50.768320877 +1000
+++ pol-git/policy/modules/contrib/boinc.fc	2016-07-30 19:44:26.789849929 +1000
@@ -1,9 +1,13 @@
 /etc/rc\.d/init\.d/boinc-client	--	gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
 
 /usr/bin/boinc_client	--	gen_context(system_u:object_r:boinc_exec_t,s0)
+/usr/bin/boinc		--	gen_context(system_u:object_r:boinc_exec_t,s0)
 
 /var/lib/boinc(/.*)?	gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc-client(/.*)?	gen_context(system_u:object_r:boinc_var_lib_t,s0)
 /var/lib/boinc/projects(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
 /var/lib/boinc/slots(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
 
 /var/log/boinc\.log.*	--	gen_context(system_u:object_r:boinc_log_t,s0)
+/var/log/boincerr\.log.*	--	gen_context(system_u:object_r:boinc_log_t,s0)
+/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0)
diff -ru pol-git.orig/policy/modules/contrib/boinc.te pol-git/policy/modules/contrib/boinc.te
--- pol-git.orig/policy/modules/contrib/boinc.te	2016-07-30 08:13:50.768320877 +1000
+++ pol-git/policy/modules/contrib/boinc.te	2016-07-30 19:44:26.789849929 +1000
@@ -47,6 +47,7 @@
 # Local policy
 #
 
+can_exec(boinc_t, boinc_exec_t)
 allow boinc_t self:process { setsched setpgid signull sigkill };
 allow boinc_t self:unix_stream_socket { accept listen };
 allow boinc_t self:tcp_socket { accept listen };
@@ -71,12 +72,13 @@
 filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
 filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
 
-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
 create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
 setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
 logging_log_filetrans(boinc_t, boinc_log_t, file)
 
 can_exec(boinc_t, boinc_var_lib_t)
+libs_exec_lib_files(boinc_t)
 
 domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
 
@@ -170,6 +172,11 @@
 
 allow boinc_project_t boinc_project_var_lib_t:file execmod;
 can_exec(boinc_project_t, boinc_project_var_lib_t)
+term_getattr_ptmx(boinc_t)
+dev_getattr_input_dev(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
+term_getattr_generic_ptys(boinc_t)
+userdom_getattr_user_ttys(boinc_t)
 
 allow boinc_project_t boinc_t:shm rw_shm_perms;
 allow boinc_project_t boinc_tmpfs_t:file { read write };
diff -ru pol-git.orig/policy/modules/kernel/terminal.if pol-git/policy/modules/kernel/terminal.if
--- pol-git.orig/policy/modules/kernel/terminal.if	2016-07-28 20:33:39.963961720 +1000
+++ pol-git/policy/modules/kernel/terminal.if	2016-07-30 19:44:26.793850037 +1000
@@ -538,6 +538,23 @@
 
 ########################################
 ## <summary>
+##	Get the attributes of generic pty devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`term_getattr_generic_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:chr_file getattr;
+')
+########################################
+## <summary>
 ##	Do not audit attempts to get the attributes
 ##	of generic pty devices.
 ## </summary>

^ permalink raw reply	[flat|nested] 2+ messages in thread
* [refpolicy] [PATCH] boinc - latest version and terminal checks
  2016-07-30 10:21 [refpolicy] [PATCH] boinc - latest version and terminal checks Russell Coker
@ 2016-07-30 20:26 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2016-07-30 20:26 UTC (permalink / raw)
  To: refpolicy

On 07/30/16 06:21, Russell Coker wrote:
> The following patch makes some changes for the latest versions of BOINC for
> the pathnames of the executable and logs.
>
> Makes global_prefs_override.xml writable by the daemon as it changes that
> in response to commands from the boincmgr program.
>
> Allows it to stat device nodes for terminals and mouse so it will know when
> the system is idle.
>
> Added term_getattr_generic_ptys interface for stating unused terminal devices.

Merged, though I moved some lines around.



> diff -ru pol-git.orig/policy/modules/contrib/boinc.fc pol-git/policy/modules/contrib/boinc.fc
> --- pol-git.orig/policy/modules/contrib/boinc.fc	2016-07-30 08:13:50.768320877 +1000
> +++ pol-git/policy/modules/contrib/boinc.fc	2016-07-30 19:44:26.789849929 +1000
> @@ -1,9 +1,13 @@
>  /etc/rc\.d/init\.d/boinc-client	--	gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
>
>  /usr/bin/boinc_client	--	gen_context(system_u:object_r:boinc_exec_t,s0)
> +/usr/bin/boinc		--	gen_context(system_u:object_r:boinc_exec_t,s0)
>
>  /var/lib/boinc(/.*)?	gen_context(system_u:object_r:boinc_var_lib_t,s0)
> +/var/lib/boinc-client(/.*)?	gen_context(system_u:object_r:boinc_var_lib_t,s0)
>  /var/lib/boinc/projects(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
>  /var/lib/boinc/slots(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
>
>  /var/log/boinc\.log.*	--	gen_context(system_u:object_r:boinc_log_t,s0)
> +/var/log/boincerr\.log.*	--	gen_context(system_u:object_r:boinc_log_t,s0)
> +/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0)
> diff -ru pol-git.orig/policy/modules/contrib/boinc.te pol-git/policy/modules/contrib/boinc.te
> --- pol-git.orig/policy/modules/contrib/boinc.te	2016-07-30 08:13:50.768320877 +1000
> +++ pol-git/policy/modules/contrib/boinc.te	2016-07-30 19:44:26.789849929 +1000
> @@ -47,6 +47,7 @@
>  # Local policy
>  #
>
> +can_exec(boinc_t, boinc_exec_t)
>  allow boinc_t self:process { setsched setpgid signull sigkill };
>  allow boinc_t self:unix_stream_socket { accept listen };
>  allow boinc_t self:tcp_socket { accept listen };
> @@ -71,12 +72,13 @@
>  filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
>  filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
>
> -append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
> +manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
>  create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
>  setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
>  logging_log_filetrans(boinc_t, boinc_log_t, file)
>
>  can_exec(boinc_t, boinc_var_lib_t)
> +libs_exec_lib_files(boinc_t)
>
>  domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
>
> @@ -170,6 +172,11 @@
>
>  allow boinc_project_t boinc_project_var_lib_t:file execmod;
>  can_exec(boinc_project_t, boinc_project_var_lib_t)
> +term_getattr_ptmx(boinc_t)
> +dev_getattr_input_dev(boinc_t)
> +dev_getattr_mouse_dev(boinc_t)
> +term_getattr_generic_ptys(boinc_t)
> +userdom_getattr_user_ttys(boinc_t)
>
>  allow boinc_project_t boinc_t:shm rw_shm_perms;
>  allow boinc_project_t boinc_tmpfs_t:file { read write };
> diff -ru pol-git.orig/policy/modules/kernel/terminal.if pol-git/policy/modules/kernel/terminal.if
> --- pol-git.orig/policy/modules/kernel/terminal.if	2016-07-28 20:33:39.963961720 +1000
> +++ pol-git/policy/modules/kernel/terminal.if	2016-07-30 19:44:26.793850037 +1000
> @@ -538,6 +538,23 @@
>
>  ########################################
>  ## <summary>
> +##	Get the attributes of generic pty devices.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to allow
> +##	</summary>
> +## </param>
> +#
> +interface(`term_getattr_generic_ptys',`
> +	gen_require(`
> +		type devpts_t;
> +	')
> +
> +	allow $1 devpts_t:chr_file getattr;
> +')
> +########################################
> +## <summary>
>  ##	Do not audit attempts to get the attributes
>  ##	of generic pty devices.
>  ## </summary>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-07-30 20:26 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-30 10:21 [refpolicy] [PATCH] boinc - latest version and terminal checks Russell Coker
2016-07-30 20:26 ` Chris PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.