diff options
author | Hans Ulrich Niedermann <hun@n-dimensional.de> | 2009-07-11 17:19:47 +0200 |
---|---|---|
committer | Hans Ulrich Niedermann <hun@n-dimensional.de> | 2009-07-11 17:19:47 +0200 |
commit | 92462a40fa95eeb9d3eee7c245e56b9c66a4a6af (patch) | |
tree | d1f0dd2a5cd2633404ed58d603fe8d396ba8ed94 | |
parent | 03a14c13aea1522d4f11f42b9e5b5d720b252713 (diff) | |
download | gps-devices-package-92462a40fa95eeb9d3eee7c245e56b9c66a4a6af.tar.gz gps-devices-package-92462a40fa95eeb9d3eee7c245e56b9c66a4a6af.tar.xz gps-devices-package-92462a40fa95eeb9d3eee7c245e56b9c66a4a6af.zip |
Copy serefpolicy gpsd policy, add access to gps_device_t
-rw-r--r-- | gpsd-devices.fc | 10 | ||||
-rw-r--r-- | gpsd-devices.if | 99 | ||||
-rw-r--r-- | gpsd-devices.te | 70 |
3 files changed, 125 insertions, 54 deletions
diff --git a/gpsd-devices.fc b/gpsd-devices.fc index 9cf7c4c..e5071f1 100644 --- a/gpsd-devices.fc +++ b/gpsd-devices.fc @@ -1,6 +1,6 @@ -# myapp executable will have: -# label: system_u:object_r:myapp_exec_t -# MLS sensitivity: s0 -# MCS categories: <none> +/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0) -/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0) +/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) + +/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) +/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) diff --git a/gpsd-devices.if b/gpsd-devices.if index 54d42ae..3eeda41 100644 --- a/gpsd-devices.if +++ b/gpsd-devices.if @@ -1,54 +1,83 @@ -## <summary>Myapp example policy</summary> -## <desc> -## <p> -## More descriptive text about myapp. The desc -## tag can also use p, ul, and ol -## html tags for formatting. -## </p> -## <p> -## This policy supports the following myapp features: -## <ul> -## <li>Feature A</li> -## <li>Feature B</li> -## <li>Feature C</li> -## </ul> -## </p> -## </desc> +## <summary>gpsd monitor daemon</summary> + +######################################## +## <summary> +## Execute a domain transition to run gpsd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> # +interface(`gpsd_domtrans',` + gen_require(` + type gpsd_t, gpsd_exec_t; + ') + + domtrans_pattern($1, gpsd_exec_t, gpsd_t) +') ######################################## ## <summary> -## Execute a domain transition to run myapp. +## Execute gpsd in the gpsd domain, and +## allow the specified role the gpsd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed the gpsd domain. +## </summary> +## </param> +# +interface(`gpsd_run',` + gen_require(` + type gpsd_t; + ') + + gpsd_domtrans($1) + role $2 types gpsd_t; +') + +######################################## +## <summary> +## Read and write to gpsd shared memory. ## </summary> ## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> +## <summary> +## The type of the process performing this action. +## </summary> ## </param> # -interface(`myapp_domtrans',` - gen_require(` - type myapp_t, myapp_exec_t; - ') +interface(`gpsd_rw_shm',` + gen_require(` + type gpsd_t; + ') - domtrans_pattern($1,myapp_exec_t,myapp_t) + allow $1 gpsd_t:shm rw_shm_perms; ') ######################################## ## <summary> -## Read myapp log files. +## Read/write gpsd tmpfs files. ## </summary> ## <param name="domain"> -## <summary> -## Domain allowed to read the log files. -## </summary> +## <summary> +## The type of the process performing this action. +## </summary> ## </param> # -interface(`myapp_read_log',` - gen_require(` - type myapp_log_t; - ') +interface(`gpsd_rw_tmpfs_files',` + gen_require(` + type gpsd_tmpfs_t; + ') - logging_search_logs($1) - allow $1 myapp_log_t:file read_file_perms; + fs_search_tmpfs($1) + allow $1 gpsd_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) ') diff --git a/gpsd-devices.te b/gpsd-devices.te index 8238355..7a1309f 100644 --- a/gpsd-devices.te +++ b/gpsd-devices.te @@ -1,28 +1,70 @@ - -policy_module(myapp,1.0.0) +policy_module(gpsd_devices,0.0.1) ######################################## # # Declarations # -type myapp_t; -type myapp_exec_t; -domain_type(myapp_t) -domain_entry_file(myapp_t, myapp_exec_t) +type gpsd_t; +type gpsd_exec_t; +application_domain(gpsd_t, gpsd_exec_t) +init_daemon_domain(gpsd_t, gpsd_exec_t) + +type gpsd_initrc_exec_t; +init_script_file(gpsd_initrc_exec_t) -type myapp_log_t; -logging_log_file(myapp_log_t) +type gpsd_tmpfs_t; +files_tmpfs_file(gpsd_tmpfs_t) -type myapp_tmp_t; -files_tmp_file(myapp_tmp_t) +type gpsd_var_run_t; +files_pid_file(gpsd_var_run_t) ######################################## # -# Myapp local policy +# gpsd local policy # -allow myapp_t myapp_log_t:file { read_file_perms append_file_perms }; +allow gpsd_t self:capability { setuid sys_nice setgid fowner }; +allow gpsd_t self:process setsched; +allow gpsd_t self:shm create_shm_perms; +allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow gpsd_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) +manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) +fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) + +manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) +manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) +files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) + +corenet_all_recvfrom_unlabeled(gpsd_t) +corenet_all_recvfrom_netlabel(gpsd_t) +corenet_tcp_sendrecv_generic_if(gpsd_t) +corenet_tcp_sendrecv_generic_node(gpsd_t) +corenet_tcp_sendrecv_all_ports(gpsd_t) +corenet_tcp_bind_all_nodes(gpsd_t) +corenet_tcp_bind_gpsd_port(gpsd_t) + +term_use_unallocated_ttys(gpsd_t) +term_setattr_unallocated_ttys(gpsd_t) + +auth_use_nsswitch(gpsd_t) + +logging_send_syslog_msg(gpsd_t) + +miscfiles_read_localization(gpsd_t) + +optional_policy(` + ntpd_rw_shm(gpsd_t) + ntpd_rw_tmpfs_files(gpsd_t) +') + +optional_policy(` + dbus_system_bus_client(gpsd_t) +') -allow myapp_t myapp_tmp_t:file manage_file_perms; -files_tmp_filetrans(myapp_t,myapp_tmp_t,file) +gps_device_getattr_gps_dev(gpsd_t) +gps_device_setattr_gps_dev(gpsd_t) +gps_device_read_gps_dev(gpsd_t) +gps_device_rw_gps_dev(gpsd_t) |