commit: 8998df08a5f909c315e8b469e92b372e5bcc4331
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 6 12:22:19 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 7 12:34:47 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8998df08
Module for tmpfiles
---
policy/modules/system/tmpfiles.fc | 7 ++
policy/modules/system/tmpfiles.if | 164 ++++++++++++++++++++++++++++++++++++++
policy/modules/system/tmpfiles.te | 91 +++++++++++++++++++++
3 files changed, 262 insertions(+)
diff --git a/policy/modules/system/tmpfiles.fc
b/policy/modules/system/tmpfiles.fc
new file mode 100644
index 0000000..12fd30a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.fc
@@ -0,0 +1,7 @@
+
+/etc/tmpfiles.d(/.*)?
gen_context(system_u:object_r:tmpfiles_conf_t,s0)
+/var/run/tmpfiles.d(/.*)?
gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+
+/lib/rc/bin/checkpath --
gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/lib/rc/sh/tmpfiles.sh --
gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+
diff --git a/policy/modules/system/tmpfiles.if
b/policy/modules/system/tmpfiles.if
new file mode 100644
index 0000000..dce932a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.if
@@ -0,0 +1,164 @@
+## <summary>Policy for tmpfiles</summary>
+
+########################################
+## <summary>
+## Read files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_read_var_run',`
+ gen_require(`
+ type tmpfiles_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 tmpfiles_var_run_t:dir list_dir_perms;
+ allow $1 tmpfiles_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_create_var_run',`
+ gen_require(`
+ type tmpfiles_var_run_t;
+ ')
+
+ tmpfiles_read_var_run($1)
+
+ # create new files with the tmpfiles_var_run_t type
+ filetrans_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t, file)
+ create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+## Write to files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_write_var_run',`
+ gen_require(`
+ type tmpfiles_var_run_t;
+ ')
+
+ tmpfiles_read_var_run($1)
+ write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_manage_var_run',`
+ gen_require(`
+ type tmpfiles_var_run_t;
+ ')
+
+ tmpfiles_read_var_run($1)
+
+ # create new files with the tmpfiles_var_run_t type
+ filetrans_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t, file)
+ manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+## Read files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_read_conf',`
+ gen_require(`
+ type tmpfiles_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 tmpfiles_conf_t:dir list_dir_perms;
+ allow $1 tmpfiles_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_create_conf',`
+ gen_require(`
+ type tmpfiles_conf_t;
+ ')
+
+ tmpfiles_read_conf($1)
+ filetrans_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t, file)
+ create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+')
+
+########################################
+## <summary>
+## Write to files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_write_conf',`
+ gen_require(`
+ type tmpfiles_conf_t;
+ ')
+
+ tmpfiles_read_conf($1)
+ write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+')
+
+########################################
+## <summary>
+## Manage files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_manage_conf',`
+ gen_require(`
+ type tmpfiles_conf_t;
+ ')
+
+ tmpfiles_read_conf($1)
+ filetrans_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t, file)
+ manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+')
+
diff --git a/policy/modules/system/tmpfiles.te
b/policy/modules/system/tmpfiles.te
new file mode 100644
index 0000000..1dc9bff
--- /dev/null
+++ b/policy/modules/system/tmpfiles.te
@@ -0,0 +1,91 @@
+policy_module(tmpfiles, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether tmpfiles can manage
+## all non auth and non security files.
+## Without this, it is only allowed things
+## in /dev, /run, /var and /tmp.
+## </p>
+## </desc>
+gen_tunable(tmpfiles_manage_all_non_security, false)
+
+
+type tmpfiles_t;
+type tmpfiles_exec_t;
+init_daemon_domain(tmpfiles_t, tmpfiles_exec_t)
+
+type tmpfiles_conf_t;
+files_config_file(tmpfiles_conf_t)
+
+type tmpfiles_var_run_t;
+files_pid_file(tmpfiles_var_run_t)
+
+
+########################################
+#
+# Local policy
+#
+
+init_exec_rc(tmpfiles_t)
+corecmd_exec_shell(tmpfiles_t)
+corecmd_exec_bin(tmpfiles_t)
+allow tmpfiles_t self:process getsched;
+allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
+
+# needs to check if selinux is enabled
+seutil_libselinux_linked(tmpfiles_t)
+selinux_get_enforce_mode(tmpfiles_t)
+
+# creates files / dirs
+allow tmpfiles_t self:capability { mknod chown fowner fsetid };
+allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
+files_manage_var_dirs(tmpfiles_t)
+files_manage_var_files(tmpfiles_t)
+files_manage_generic_tmp_dirs(tmpfiles_t)
+files_manage_generic_tmp_files(tmpfiles_t)
+files_manage_all_pids(tmpfiles_t)
+dev_create_generic_chr_files(tmpfiles_t)
+dev_create_all_chr_files(tmpfiles_t)
+
+tunable_policy(`tmpfiles_manage_all_non_security',`
+ files_manage_non_security_dirs(tmpfiles_t)
+ files_manage_non_security_file_type(tmpfiles_t)
+')
+
+# relabel / chmod files
+seutil_read_file_contexts(tmpfiles_t)
+seutil_domtrans_setfiles(tmpfiles_t)
+
+dev_getattr_generic_chr_files(tmpfiles_t)
+dev_getattr_all_chr_files(tmpfiles_t)
+dev_getattr_generic_blk_files(tmpfiles_t)
+dev_getattr_all_blk_files(tmpfiles_t)
+files_getattr_tmp_dirs(tmpfiles_t)
+files_getattr_generic_locks(tmpfiles_t)
+
+dev_setattr_generic_dirs(tmpfiles_t)
+dev_setattr_generic_chr_files(tmpfiles_t)
+dev_setattr_all_chr_files(tmpfiles_t)
+dev_setattr_all_blk_files(tmpfiles_t)
+files_setattr_all_tmp_dirs(tmpfiles_t)
+files_setattr_lock_dirs(tmpfiles_t)
+files_setattr_pid_dirs(tmpfiles_t)
+
+dev_relabel_generic_dev_dirs(tmpfiles_t)
+dev_relabelfrom_generic_chr_files(tmpfiles_t)
+files_relabel_all_tmp_dirs(tmpfiles_t)
+files_relabel_all_tmp_files(tmpfiles_t)
+files_relabel_all_lock_dirs(tmpfiles_t)
+files_relabel_all_pids(tmpfiles_t)
+
+tunable_policy(`tmpfiles_manage_all_non_security',`
+ dev_relabel_all_dev_nodes(tmpfiles_t)
+ files_relabel_non_security_file_type(tmpfiles_t)
+')
+
