From 3507646d00264738b50e5f8c1c071cc59d2c4662 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Oct 17 2012 12:24:08 +0000 Subject: Changes to the plymouthd policy module Ported from Fedora with changes Client needs block suspend not daemon What is with boot.log? Signed-off-by: Dominick Grift --- diff --git a/plymouthd.fc b/plymouthd.fc index 5702ca4..9f9d9d0 100644 --- a/plymouthd.fc +++ b/plymouthd.fc @@ -1,7 +1,17 @@ -/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) -/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) +/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) -/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) -/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) -/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) +/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) + +/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) + +/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) + +/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) + +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) +/var/run/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) + +/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) +/var/spool/plymouth/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) diff --git a/plymouthd.if b/plymouthd.if index 9759ed8..30e751f 100644 --- a/plymouthd.if +++ b/plymouthd.if @@ -1,4 +1,4 @@ -## Plymouth graphical boot +## Plymouth graphical boot. ######################################## ## @@ -10,17 +10,18 @@ ## ## # -interface(`plymouthd_domtrans', ` +interface(`plymouthd_domtrans',` gen_require(` type plymouthd_t, plymouthd_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) ') ######################################## ## -## Execute the plymoth daemon in the current domain +## Execute plymouthd in the caller domain. ## ## ## @@ -28,18 +29,19 @@ interface(`plymouthd_domtrans', ` ## ## # -interface(`plymouthd_exec', ` +interface(`plymouthd_exec',` gen_require(` type plymouthd_exec_t; ') + corecmd_search_bin($1) can_exec($1, plymouthd_exec_t) ') ######################################## ## -## Allow domain to Stream socket connect -## to Plymouth daemon. +## Connect to plymouthd using a unix +## domain stream socket. ## ## ## @@ -47,17 +49,18 @@ interface(`plymouthd_exec', ` ## ## # -interface(`plymouthd_stream_connect', ` +interface(`plymouthd_stream_connect',` gen_require(` - type plymouthd_t; + type plymouthd_t, plymouthd_spool_t; ') - allow $1 plymouthd_t:unix_stream_socket connectto; + files_search_spool($1) + stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) ') ######################################## ## -## Execute the plymoth command in the current domain +## Execute plymouth in the caller domain. ## ## ## @@ -65,17 +68,18 @@ interface(`plymouthd_stream_connect', ` ## ## # -interface(`plymouthd_exec_plymouth', ` +interface(`plymouthd_exec_plymouth',` gen_require(` type plymouth_exec_t; ') + corecmd_search_bin($1) can_exec($1, plymouth_exec_t) ') ######################################## ## -## Execute a domain transition to run plymouthd. +## Execute a domain transition to run plymouth. ## ## ## @@ -83,11 +87,12 @@ interface(`plymouthd_exec_plymouth', ` ## ## # -interface(`plymouthd_domtrans_plymouth', ` +interface(`plymouthd_domtrans_plymouth',` gen_require(` type plymouth_t, plymouth_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, plymouth_exec_t, plymouth_t) ') @@ -101,13 +106,13 @@ interface(`plymouthd_domtrans_plymouth', ` ## ## # -interface(`plymouthd_search_spool', ` +interface(`plymouthd_search_spool',` gen_require(` type plymouthd_spool_t; ') - allow $1 plymouthd_spool_t:dir search_dir_perms; files_search_spool($1) + allow $1 plymouthd_spool_t:dir search_dir_perms; ') ######################################## @@ -120,7 +125,7 @@ interface(`plymouthd_search_spool', ` ## ## # -interface(`plymouthd_read_spool_files', ` +interface(`plymouthd_read_spool_files',` gen_require(` type plymouthd_spool_t; ') @@ -140,7 +145,7 @@ interface(`plymouthd_read_spool_files', ` ## ## # -interface(`plymouthd_manage_spool_files', ` +interface(`plymouthd_manage_spool_files',` gen_require(` type plymouthd_spool_t; ') @@ -159,13 +164,13 @@ interface(`plymouthd_manage_spool_files', ` ## ## # -interface(`plymouthd_search_lib', ` +interface(`plymouthd_search_lib',` gen_require(` type plymouthd_var_lib_t; ') - allow $1 plymouthd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) + allow $1 plymouthd_var_lib_t:dir search_dir_perms; ') ######################################## @@ -178,7 +183,7 @@ interface(`plymouthd_search_lib', ` ## ## # -interface(`plymouthd_read_lib_files', ` +interface(`plymouthd_read_lib_files',` gen_require(` type plymouthd_var_lib_t; ') @@ -198,7 +203,7 @@ interface(`plymouthd_read_lib_files', ` ## ## # -interface(`plymouthd_manage_lib_files', ` +interface(`plymouthd_manage_lib_files',` gen_require(` type plymouthd_var_lib_t; ') @@ -209,7 +214,7 @@ interface(`plymouthd_manage_lib_files', ` ######################################## ## -## Read plymouthd PID files. +## Read plymouthd pid files. ## ## ## @@ -217,7 +222,7 @@ interface(`plymouthd_manage_lib_files', ` ## ## # -interface(`plymouthd_read_pid_files', ` +interface(`plymouthd_read_pid_files',` gen_require(` type plymouthd_var_run_t; ') @@ -228,8 +233,8 @@ interface(`plymouthd_read_pid_files', ` ######################################## ## -## All of the rules required to administrate -## an plymouthd environment +## All of the rules required to +## administrate an plymouthd environment. ## ## ## @@ -243,18 +248,21 @@ interface(`plymouthd_read_pid_files', ` ## ## # -interface(`plymouthd_admin', ` +interface(`plymouthd_admin',` gen_require(` type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; type plymouthd_var_run_t; ') - allow $1 plymouthd_t:process { ptrace signal_perms getattr }; + allow $1 plymouthd_t:process { ptrace signal_perms }; read_files_pattern($1, plymouthd_t, plymouthd_t) + files_search_spool($1) admin_pattern($1, plymouthd_spool_t) + files_search_var_lib($1) admin_pattern($1, plymouthd_var_lib_t) + files_search_pids($1) admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te index 82dc450..9d78872 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -1,4 +1,4 @@ -policy_module(plymouthd, 1.1.1) +policy_module(plymouthd, 1.1.2) ######################################## # @@ -8,6 +8,7 @@ policy_module(plymouthd, 1.1.1) type plymouth_t; type plymouth_exec_t; application_domain(plymouth_t, plymouth_exec_t) +role system_r types plymouth_t; type plymouthd_t; type plymouthd_exec_t; @@ -19,12 +20,15 @@ files_type(plymouthd_spool_t) type plymouthd_var_lib_t; files_type(plymouthd_var_lib_t) +type plymouthd_var_log_t; +logging_log_file(plymouthd_var_log_t) + type plymouthd_var_run_t; files_pid_file(plymouthd_var_run_t) ######################################## # -# Plymouthd private policy +# Daemon local policy # allow plymouthd_t self:capability { sys_admin sys_tty_config }; @@ -42,6 +46,15 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) +manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) + +files_pid_filetrans(plymouthd_t, plymouthd_var_log_t, file, "boot.log") +filetrans_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_var_log_t, file, "boot.log") +logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) + manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) @@ -57,6 +70,8 @@ dev_write_framebuffer(plymouthd_t) domain_use_interactive_fds(plymouthd_t) +fs_getattr_all_fs(plymouthd_t) + files_read_etc_files(plymouthd_t) files_read_usr_files(plymouthd_t) @@ -68,17 +83,35 @@ miscfiles_read_localization(plymouthd_t) miscfiles_read_fonts(plymouthd_t) miscfiles_manage_fonts_cache(plymouthd_t) +optional_policy(` + gnome_read_generic_home_content(plymouthd_t) +') + +optional_policy(` + sssd_stream_connect(plymouthd_t) +') + +# pending +# optional_policy(` +# xserver_manage_spool_files_xdm(plymouthd_t) +# xserver_read_state_xdm(plymouthd_t) +# ') + ######################################## # -# Plymouth private policy +# Client local policy # allow plymouth_t self:capability2 block_suspend; allow plymouth_t self:process signal; -allow plymouth_t self:fifo_file rw_file_perms; +allow plymouth_t self:fifo_file rw_fifo_file_perms; allow plymouth_t self:unix_stream_socket create_stream_socket_perms; +stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) + kernel_read_system_state(plymouth_t) +# pending +# kernel_stream_connect(plymouth_t) domain_use_interactive_fds(plymouth_t) @@ -90,9 +123,7 @@ miscfiles_read_localization(plymouth_t) sysnet_read_config(plymouth_t) -plymouthd_stream_connect(plymouth_t) - -ifdef(`hide_broken_symptoms', ` +ifdef(`hide_broken_symptoms',` optional_policy(` hal_dontaudit_write_log(plymouth_t) hal_dontaudit_rw_pipes(plymouth_t)