From b6c78b77edecabb5080b20ce387040844ceb13c4 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 12 Dec 2011 14:26:05 +0000 Subject: [PATCH] More fixes for boinc * allow to resolve dns name * re-write boinc policy to use boinc_domain attribute --- policy/modules/services/boinc.te | 79 +++++++++++++++----------------- 1 file changed, 37 insertions(+), 42 deletions(-) diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te index 61db9092..788087e6 100644 --- a/policy/modules/services/boinc.te +++ b/policy/modules/services/boinc.te @@ -5,6 +5,8 @@ policy_module(boinc, 1.0.0) # Declarations # +attribute boinc_domain; + type boinc_t; type boinc_exec_t; init_daemon_domain(boinc_t, boinc_exec_t) @@ -31,6 +33,37 @@ files_tmp_file(boinc_project_tmp_t) type boinc_project_var_lib_t; files_type(boinc_project_var_lib_t) +####################################### +# +# boinc domain local policy +# + +allow boinc_domain self:fifo_file rw_fifo_file_perms; +allow boinc_domain self:sem create_sem_perms; + +# needs read /proc/interrupts +kernel_read_system_state(boinc_domain) + +corecmd_exec_bin(boinc_domain) +corecmd_exec_shell(boinc_domain) + +dev_read_rand(boinc_domain) +dev_read_urand(boinc_domain) +dev_read_sysfs(boinc_domain) + +domain_read_all_domains_state(boinc_domain) + +files_read_etc_files(boinc_domain) +files_read_etc_runtime_files(boinc_domain) +files_read_usr_files(boinc_domain) + +miscfiles_read_fonts(boinc_domain) +miscfiles_read_localization(boinc_domain) + +optional_policy(` + sysnet_dns_name_resolve(boinc_domain) +') + ######################################## # # boinc local policy @@ -39,10 +72,8 @@ files_type(boinc_project_var_lib_t) allow boinc_t self:capability { kill }; allow boinc_t self:process { setsched sigkill }; -allow boinc_t self:fifo_file rw_fifo_file_perms; allow boinc_t self:unix_stream_socket create_stream_socket_perms; allow boinc_t self:tcp_socket create_stream_socket_perms; -allow boinc_t self:sem create_sem_perms; allow boinc_t self:shm create_shm_perms; manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) @@ -60,15 +91,9 @@ filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir) manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -# needs read /proc/interrupts -kernel_read_system_state(boinc_t) - files_getattr_all_dirs(boinc_t) files_getattr_all_files(boinc_t) -corecmd_exec_bin(boinc_t) -corecmd_exec_shell(boinc_t) - corenet_all_recvfrom_unlabeled(boinc_t) corenet_all_recvfrom_netlabel(boinc_t) corenet_tcp_sendrecv_generic_if(boinc_t) @@ -85,18 +110,8 @@ corenet_tcp_connect_boinc_port(boinc_t) corenet_tcp_connect_http_port(boinc_t) corenet_tcp_connect_http_cache_port(boinc_t) -dev_list_sysfs(boinc_t) -dev_read_rand(boinc_t) -dev_read_urand(boinc_t) -dev_read_sysfs(boinc_t) - -domain_read_all_domains_state(boinc_t) - files_dontaudit_getattr_boot_dirs(boinc_t) -files_read_etc_files(boinc_t) -files_read_usr_files(boinc_t) - fs_getattr_all_fs(boinc_t) term_getattr_all_ptys(boinc_t) @@ -104,14 +119,11 @@ term_getattr_unallocated_ttys(boinc_t) init_read_utmp(boinc_t) -miscfiles_read_localization(boinc_t) -miscfiles_read_generic_certs(boinc_t) - logging_send_syslog_msg(boinc_t) -sysnet_dns_name_resolve(boinc_t) - -mta_send_mail(boinc_t) +optional_policy(` + mta_send_mail(boinc_t) +') ######################################## # @@ -128,9 +140,6 @@ tunable_policy(`deny_ptrace',`',` allow boinc_project_t self:process ptrace; ') -allow boinc_project_t self:fifo_file rw_fifo_file_perms; -allow boinc_project_t self:sem create_sem_perms; - manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file }) @@ -149,29 +158,15 @@ allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms; list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) -kernel_read_system_state(boinc_project_t) kernel_read_kernel_sysctls(boinc_project_t) kernel_search_vm_sysctl(boinc_project_t) kernel_read_network_state(boinc_project_t) -corecmd_exec_bin(boinc_project_t) -corecmd_exec_shell(boinc_project_t) - corenet_tcp_connect_boinc_port(boinc_project_t) -domain_read_all_domains_state(boinc_project_t) - -dev_read_rand(boinc_project_t) -dev_read_urand(boinc_project_t) -dev_read_sysfs(boinc_project_t) dev_rw_xserver_misc(boinc_project_t) -files_read_etc_files(boinc_project_t) -files_read_etc_runtime_files(boinc_project_t) -files_read_usr_files(boinc_project_t) - -miscfiles_read_fonts(boinc_project_t) -miscfiles_read_localization(boinc_project_t) +files_dontaudit_search_home(boinc_project_t) optional_policy(` java_exec(boinc_project_t) -- 2.47.3