commit: ec4ba4836f56d8d07f354fd8113f3439eb240bcc Author: bauen1 <j2468h <AT> gmail <DOT> com> AuthorDate: Sat Feb 1 20:53:04 2020 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Feb 15 07:32:05 2020 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ec4ba483
consolesetup: add policy for console-setup Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/services/consolesetup.fc | 9 +++ policy/modules/services/consolesetup.if | 104 ++++++++++++++++++++++++++++++++ policy/modules/services/consolesetup.te | 54 +++++++++++++++++ 3 files changed, 167 insertions(+) diff --git a/policy/modules/services/consolesetup.fc b/policy/modules/services/consolesetup.fc new file mode 100644 index 00000000..847034b7 --- /dev/null +++ b/policy/modules/services/consolesetup.fc @@ -0,0 +1,9 @@ +/etc/console-setup(/.*)? gen_context(system_u:object_r:consolesetup_conf_t,s0) + +/etc/default/console-setup.* -- gen_context(system_u:object_r:consolesetup_conf_t,s0) +/etc/default/keyboard.* -- gen_context(system_u:object_r:consolesetup_conf_t,s0) + +/run/console-setup(/.*)? gen_context(system_u:object_r:consolesetup_runtime_t,s0) + +/usr/lib/console-setup/console-setup\.sh -- gen_context(system_u:object_r:consolesetup_exec_t,s0) +/usr/lib/console-setup/keyboard-setup\.sh -- gen_context(system_u:object_r:consolesetup_exec_t,s0) diff --git a/policy/modules/services/consolesetup.if b/policy/modules/services/consolesetup.if new file mode 100644 index 00000000..888fd234 --- /dev/null +++ b/policy/modules/services/consolesetup.if @@ -0,0 +1,104 @@ +## <summary>console font and keymap setup program for debian</summary> + +######################################## +## <summary> +## Execute console-setup in the consolesetup domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`consolesetup_domtrans', ` + gen_require(` + type consolesetup_t, consolesetup_conf_t, consolesetup_exec_t, consolesetup_runtime_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, consolesetup_exec_t, consolesetup_t) +') + +######################################## +## <summary> +## Read console-setup configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`consolesetup_read_conf',` + gen_require(` + type consolesetup_conf_t; + ') + + files_search_etc($1) + allow $1 consolesetup_conf_t:dir list_dir_perms; + allow $1 consolesetup_conf_t:file read_file_perms; + allow $1 consolesetup_conf_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> +## Execute console-setup configuration files +## in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`consolesetup_exec_conf', ` + gen_require(` + type consolesetup_conf_t; + ') + + files_search_etc($1) + exec_files_pattern($1, consolesetup_conf_t, consolesetup_conf_t) +') + +######################################## +## <summary> +## Allow the caller to manage +## consolesetup_runtime_t files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`consolesetup_manage_runtime', ` + gen_require(` + type consolesetup_runtime_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, consolesetup_runtime_t, consolesetup_runtime_t) + manage_files_pattern($1, consolesetup_runtime_t, consolesetup_runtime_t) +') + +######################################## +## <summary> +## Create a console-setup directory in +## the runtime directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`consolesetup_pid_filetrans_runtime', ` + gen_require(` + type consolesetup_runtime_t; + ') + + files_pid_filetrans($1, consolesetup_runtime_t, dir, "console-setup") +') diff --git a/policy/modules/services/consolesetup.te b/policy/modules/services/consolesetup.te new file mode 100644 index 00000000..92fc42f4 --- /dev/null +++ b/policy/modules/services/consolesetup.te @@ -0,0 +1,54 @@ +policy_module(consolesetup, 1.0) + +######################################## +# +# Declarations +# + +type consolesetup_t; +type consolesetup_exec_t; +init_daemon_domain(consolesetup_t, consolesetup_exec_t) + +type consolesetup_conf_t; +files_config_file(consolesetup_conf_t) + +type consolesetup_runtime_t; +files_pid_file(consolesetup_runtime_t) + +type consolesetup_tmp_t; +files_tmp_file(consolesetup_tmp_t) + +######################################## +# +# Local policy +# + +allow consolesetup_t self:capability sys_tty_config; +allow consolesetup_t self:fifo_file rw_inherited_fifo_file_perms; + +can_exec(consolesetup_t, consolesetup_conf_t) + +manage_files_pattern(consolesetup_t, consolesetup_conf_t, consolesetup_conf_t) + +manage_dirs_pattern(consolesetup_t, consolesetup_runtime_t, consolesetup_runtime_t) +manage_files_pattern(consolesetup_t, consolesetup_runtime_t, consolesetup_runtime_t) +files_pid_filetrans(consolesetup_t, consolesetup_runtime_t, dir, "console-setup") + +manage_files_pattern(consolesetup_t, consolesetup_tmp_t, consolesetup_tmp_t) +files_tmp_filetrans(consolesetup_t, consolesetup_tmp_t, file) + +corecmd_exec_bin(consolesetup_t) +corecmd_exec_shell(consolesetup_t) + +files_read_etc_files(consolesetup_t) +files_read_usr_files(consolesetup_t) +files_search_tmp(consolesetup_t) + +term_use_console(consolesetup_t) +term_use_unallocated_ttys(consolesetup_t) + +miscfiles_read_localization(consolesetup_t) + +xserver_read_xkb_libs(consolesetup_t) + +loadkeys_domtrans(consolesetup_t)