From a00fc1c317884096ce129ac703e5cd8c23d1e895 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Jun 25 2010 13:43:54 +0000 Subject: hddtemp fixes. Clean up network control section. Implement hddtemp_etc_t for /etc/sysconfig/hddtemp. The advantages are: - hddtemp_t no longer needs access to read all generic etc_t files. - allows us to implement a meaningful hddtemp_admin() Signed-off-by: Dominick Grift Signed-off-by: Chris PeBenito --- diff --git a/policy/modules/services/hddtemp.fc b/policy/modules/services/hddtemp.fc index 67ea7b6..d81eb37 100644 --- a/policy/modules/services/hddtemp.fc +++ b/policy/modules/services/hddtemp.fc @@ -1,3 +1,5 @@ /etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0) -/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0) +/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0) + +/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0) diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if index af25134..fde2c3d 100644 --- a/policy/modules/services/hddtemp.if +++ b/policy/modules/services/hddtemp.if @@ -1,12 +1,13 @@ -## hddtemp hard disk temperature tool running as a daemon +## hddtemp hard disk temperature tool running as a daemon. ####################################### ## -## Execute hddtemp in the hddtemp domain. +## Execute a domain transition to run +## hddtemp. ## ## ## -## Domain allowed access. +## Domain allowed to transition. ## ## # @@ -15,13 +16,13 @@ interface(`hddtemp_domtrans',` type hddtemp_t, hddtemp_exec_t; ') - corecmd_search_bin($1) domtrans_pattern($1, hddtemp_exec_t, hddtemp_t) + corecmd_search_bin($1) ') ###################################### ## -## Execute hddtemp +## Execute hddtemp. ## ## ## @@ -35,4 +36,43 @@ interface(`hddtemp_exec',` ') can_exec($1, hddtemp_exec_t) + corecmd_search_bin($1) +') + +######################################## +## +## All of the rules required to +## administrate an hddtemp environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`hddtemp_admin',` + gen_require(` + type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; + ') + + allow $1 hddtemp_t:process { ptrace signal_perms }; + ps_process_pattern($1, hddtemp_t) + + init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 hddtemp_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, hddtemp_etc_t) + files_search_etc($1) + + allow $1 hddtemp_t:dir list_dir_perms; + read_lnk_files_pattern($1, hddtemp_t, hddtemp_t) + kernel_search_proc($1) ') diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te index 49c095c..d67a8a7 100644 --- a/policy/modules/services/hddtemp.te +++ b/policy/modules/services/hddtemp.te @@ -12,6 +12,9 @@ init_daemon_domain(hddtemp_t, hddtemp_exec_t) type hddtemp_initrc_exec_t; init_script_file(hddtemp_initrc_exec_t) +type hddtemp_etc_t; +files_config_file(hddtemp_etc_t) + ######################################## # # hddtemp local policy @@ -23,10 +26,19 @@ allow hddtemp_t self:netlink_route_socket r_netlink_socket_perms; allow hddtemp_t self:tcp_socket create_stream_socket_perms; allow hddtemp_t self:udp_socket create_socket_perms; -corenet_tcp_bind_all_nodes(hddtemp_t) +allow hddtemp_t hddtemp_etc_t:file read_file_perms; + +corenet_all_recvfrom_unlabeled(hddtemp_t) +corenet_all_recvfrom_netlabel(hddtemp_t) +corenet_tcp_sendrecv_generic_if(hddtemp_t) +corenet_tcp_sendrecv_generic_node(hddtemp_t) +corenet_tcp_bind_generic_node(hddtemp_t) +corenet_tcp_sendrecv_all_ports(hddtemp_t) corenet_tcp_bind_hddtemp_port(hddtemp_t) +corenet_sendrecv_hddtemp_server_packets(hddtemp_t) +corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) -# read hddtemp db file +files_search_etc(hddtemp_t) files_read_usr_files(hddtemp_t) storage_raw_read_fixed_disk(hddtemp_t)