Changeset 2719

Timestamp:

06/17/08 09:07:44 (4 months ago)

Author:

cpebenito

Message:

trunk: podsleuth and hal updates from dan.

Files:

• trunk/Changelog (modified) (1 diff)
• trunk/policy/modules/apps/mono.if (modified) (1 diff)
• trunk/policy/modules/apps/mono.te (modified) (1 diff)
• trunk/policy/modules/apps/podsleuth.fc (added)
• trunk/policy/modules/apps/podsleuth.if (added)
• trunk/policy/modules/apps/podsleuth.te (added)
• trunk/policy/modules/services/hal.fc (modified) (2 diffs)
• trunk/policy/modules/services/hal.te (modified) (13 diffs)

trunk/Changelog

@@ -14 +14 @@
-        kerneloops (Dan Walsh)
-        kismet (Dan Walsh)
+        podsleuth (Dan Walsh)
-        prelude (Dan Walsh)
-        qemu (Dan Walsh)

trunk/policy/modules/apps/mono.if

@@ -19 +19 @@
-        domtrans_pattern($1, mono_exec_t, mono_t)
-')
+
+########################################
+## <summary>
+##      Execute the mono program in the caller domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mono_exec',`
+        gen_require(`
+                type mono_t, mono_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        can_exec($1, mono_exec_t)
+')

trunk/policy/modules/apps/mono.te

@@ -1 +1 @@
-
-1
+2
-
-########################################

trunk/policy/modules/services/hal.fc

@@ -9 +9 @@
-/usr/libexec/hal-system-sonypic         --      gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
-/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/libexec/hald-addon-macbook-backlight --    gen_context(system_u:object_r:hald_mac_exec_t,s0)
-
-/usr/sbin/hald          --                      gen_context(system_u:object_r:hald_exec_t,s0)
@@ -16 +17 @@
-/var/lib/hal(/.*)?                              gen_context(system_u:object_r:hald_var_lib_t,s0)
-
+/var/log/pm(/.*)?                               gen_context(system_u:object_r:hald_log_t,s0)
-/var/log/pm-suspend\.log                        gen_context(system_u:object_r:hald_log_t,s0)
-
+/var/run/hald(/.*)?                             gen_context(system_u:object_r:hald_var_run_t,s0)
-/var/run/haldaemon\.pid --                      gen_context(system_u:object_r:hald_var_run_t,s0)
-
+
+
+
-
-ifdef(`distro_gentoo',`

trunk/policy/modules/services/hal.te

@@ -1 +1 @@
-
-2
+3
-
-########################################
@@ -58 +58 @@
-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
-dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
-signal_perms
+{ getattr signal_perms }
-allow hald_t self:fifo_file rw_fifo_file_perms;
-allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -71 +71 @@
-
-# log files for hald
-
+
-logging_log_filetrans(hald_t,hald_log_t,file)
-
@@ -83 +83 @@
-manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
-
+manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t)
-manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
-hald_var_run_t,file
+ hald_var_run_t, { dir file }
-
-kernel_read_system_state(hald_t)
@@ -94 +95 @@
-kernel_rw_vm_sysctls(hald_t)
-kernel_write_proc_files(hald_t)
+kernel_setsched(hald_t)
-
-auth_read_pam_console_data(hald_t)
@@ -120 +122 @@
-dev_setattr_usbfs_files(hald_t)
-dev_rw_power_management(hald_t)
+dev_read_raw_memory(hald_t)
-# hal is now execing pm-suspend
-dev_rw_sysfs(hald_t)
+dev_read_video_dev(hald_t)
-
-domain_use_interactive_fds(hald_t)
@@ -167 +171 @@
-auth_use_nsswitch(hald_t)
-
+fstools_getattr_swap_files(hald_t)
+
-init_domtrans_script(hald_t)
-init_read_utmp(hald_t)
@@ -246 +252 @@
-
-optional_policy(`
+        gpm_dontaudit_getattr_gpmctl(hald_t)
+')
+
+optional_policy(`
-        hotplug_read_config(hald_t)
-')
@@ -267 +277 @@
-
-optional_policy(`
+        podsleuth_domtrans(hald_t)
+')
+
+optional_policy(`
-        rpc_search_nfs_state_data(hald_t)
-')
@@ -293 +307 @@
-
-allow hald_acl_t self:capability { dac_override fowner };
-
+
+
-
-domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
@@ -303 +318 @@
-files_search_var_lib(hald_acl_t)
-
+manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
+manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
+files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
+
-corecmd_exec_bin(hald_acl_t)
-
-dev_getattr_all_chr_files(hald_acl_t)
+dev_setattr_all_chr_files(hald_acl_t)
-dev_getattr_generic_usb_dev(hald_acl_t)
-dev_getattr_video_dev(hald_acl_t)
@@ -340 +360 @@
-files_search_var_lib(hald_mac_t)
-
+kernel_read_system_state(hald_mac_t)
+
+dev_read_raw_memory(hald_mac_t)
-dev_write_raw_memory(hald_mac_t)
+dev_read_sysfs(hald_mac_t)
-
-files_read_usr_files(hald_mac_t)
@@ -393 +417 @@
-
-miscfiles_read_localization(hald_keymap_t)
+
+# This is caused by a bug in hald and PolicyKit.  
+# Should be removed when this is fixed
+#cron_read_system_job_lib_files(hald_t)