Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/apps/userhelper.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/apps/userhelper.if')
-rw-r--r--policy/modules/apps/userhelper.if231
1 files changed, 231 insertions, 0 deletions
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
new file mode 100644
index 000000000..2cdbf67e6
--- /dev/null
+++ b/policy/modules/apps/userhelper.if
@@ -0,0 +1,231 @@
+## <summary>A wrapper that helps users run system programs.</summary>
+
+#######################################
+## <summary>
+## The role template for the userhelper module.
+## </summary>
+## <param name="userrole_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The user role.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The user domain associated with the role.
+## </summary>
+## </param>
+#
+template(`userhelper_role_template',`
+ gen_require(`
+ attribute userhelper_type, consolehelper_type;
+ attribute_role userhelper_roles, consolehelper_roles;
+ type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_consolehelper_t, consolehelper_type;
+ userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t)
+
+ role consolehelper_roles types $1_consolehelper_t;
+ roleattribute $2 consolehelper_roles;
+
+ type $1_userhelper_t, userhelper_type;
+ userdom_user_application_domain($1_userhelper_t, userhelper_exec_t)
+
+ domain_role_change_exemption($1_userhelper_t)
+ domain_obj_id_change_exemption($1_userhelper_t)
+ domain_interactive_fd($1_userhelper_t)
+ domain_subj_id_change_exemption($1_userhelper_t)
+
+ role userhelper_roles types $1_userhelper_t;
+ roleattribute $2 userhelper_roles;
+
+ ########################################
+ #
+ # Consolehelper local policy
+ #
+
+ allow $1_consolehelper_t $3:unix_stream_socket connectto;
+
+ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+
+ allow $3 $1_consolehelper_t:process { ptrace signal_perms };
+ ps_process_pattern($3, $1_consolehelper_t)
+
+ auth_use_pam($1_consolehelper_t)
+
+ optional_policy(`
+ dbus_connect_all_session_bus($1_consolehelper_t)
+
+ optional_policy(`
+ userhelper_dbus_chat_all_consolehelper($3)
+ ')
+ ')
+
+ ########################################
+ #
+ # Userhelper local policy
+ #
+
+ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
+
+ dontaudit $3 $1_userhelper_t:process signal;
+
+ corecmd_bin_domtrans($1_userhelper_t, $3)
+
+ auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_use_nsswitch($1_userhelper_t)
+
+ userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
+ userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
+
+ optional_policy(`
+ tunable_policy(`! secure_mode',`
+ sysadm_bin_spec_domtrans($1_userhelper_t)
+ sysadm_entry_spec_domtrans($1_userhelper_t)
+ ')
+ ')
+')
+
+########################################
+## <summary>
+## Search userhelper configuration directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_search_config',`
+ gen_require(`
+ type userhelper_conf_t;
+ ')
+
+ allow $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## userhelper configuration directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userhelper_dontaudit_search_config',`
+ gen_require(`
+ type userhelper_conf_t;
+ ')
+
+ dontaudit $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## consolehelper over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_dbus_chat_all_consolehelper',`
+ gen_require(`
+ attribute consolehelper_type;
+ class dbus send_msg;
+ ')
+
+ allow $1 consolehelper_type:dbus send_msg;
+ allow consolehelper_type $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Use userhelper all userhelper file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_use_fd',`
+ gen_require(`
+ attribute userhelper_type;
+ ')
+
+ allow $1 userhelper_type:fd use;
+')
+
+########################################
+## <summary>
+## Send child terminated signals to all userhelper.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_sigchld',`
+ gen_require(`
+ attribute userhelper_type;
+ ')
+
+ allow $1 userhelper_type:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute the userhelper program in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_exec',`
+ gen_require(`
+ type userhelper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, userhelper_exec_t)
+')
+
+########################################
+## <summary>
+## Execute the consolehelper program
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_exec_consolehelper',`
+ gen_require(`
+ type consolehelper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, consolehelper_exec_t)
+')