From 71965a1fc58af381ad42a19d3bf5fe8fd54cbfb7 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 2 Sep 2009 08:33:25 -0400
Subject: add kdump from dan.

---
 Changelog                      |   1 +
 policy/modules/system/kdump.fc |   5 ++
 policy/modules/system/kdump.if | 111 +++++++++++++++++++++++++++++++++++++++++
 policy/modules/system/kdump.te |  36 +++++++++++++
 4 files changed, 153 insertions(+)
 create mode 100644 policy/modules/system/kdump.fc
 create mode 100644 policy/modules/system/kdump.if
 create mode 100644 policy/modules/system/kdump.te

diff --git a/Changelog b/Changelog
index 61bb77ce..51dceb7e 100644
--- a/Changelog
+++ b/Changelog
@@ -10,6 +10,7 @@
 - Add missing compatibility aliases for xdm_xserver*_t types.
 - Added modules:
 	hddtemp (Dan Walsh)
+	kdump (Dan Walsh)
 
 * Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730
 - Gentoo fixes for init scripts and system startup.
diff --git a/policy/modules/system/kdump.fc b/policy/modules/system/kdump.fc
new file mode 100644
index 00000000..c66934fb
--- /dev/null
+++ b/policy/modules/system/kdump.fc
@@ -0,0 +1,5 @@
+/etc/kdump\.conf	--	gen_context(system_u:object_r:kdump_etc_t,s0)
+/etc/rc\.d/init\.d/kdump --	gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+
+/sbin/kdump		--	gen_context(system_u:object_r:kdump_exec_t,s0)
+/sbin/kexec		--	gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/policy/modules/system/kdump.if b/policy/modules/system/kdump.if
new file mode 100644
index 00000000..19e65b83
--- /dev/null
+++ b/policy/modules/system/kdump.if
@@ -0,0 +1,111 @@
+## <summary>Kernel crash dumping mechanism</summary>
+
+######################################
+## <summary>
+##	Execute kdump in the kdump domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`kdump_domtrans',`
+	gen_require(`
+		type kdump_t, kdump_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, kdump_exec_t, kdump_t)
+')
+
+#######################################
+## <summary>
+##	Execute kdump in the kdump domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`kdump_initrc_domtrans',`
+	gen_require(`
+		type kdump_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+')
+
+#####################################
+## <summary>
+##	Read kdump configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kdump_read_config',`
+	gen_require(`
+		type kdump_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 kdump_etc_t:file read_file_perms;
+')
+
+####################################
+## <summary>
+##	Manage kdump configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kdump_manage_config',`
+	gen_require(`
+		type kdump_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 kdump_etc_t:file manage_file_perms;
+')
+
+######################################
+## <summary>
+##	All of the rules required to administrate 
+##	an kdump environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the kdump domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kdump_admin',`
+	gen_require(`
+		type kdump_t, kdump_etc_t;
+		type kdump_initrc_exec_t;
+	')
+
+	allow $1 kdump_t:process { ptrace signal_perms };
+	ps_process_pattern($1, kdump_t)
+
+	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 kdump_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, kdump_etc_t)
+')
diff --git a/policy/modules/system/kdump.te b/policy/modules/system/kdump.te
new file mode 100644
index 00000000..a5a75262
--- /dev/null
+++ b/policy/modules/system/kdump.te
@@ -0,0 +1,36 @@
+
+policy_module(kdump, 1.0.0)
+
+#######################################
+#
+# Declarations
+#
+
+type kdump_t;
+type kdump_exec_t;
+init_system_domain(kdump_t, kdump_exec_t)
+
+type kdump_etc_t;
+files_config_file(kdump_etc_t)
+
+type kdump_initrc_exec_t;
+init_script_file(kdump_initrc_exec_t)
+
+#####################################
+#
+# kdump local policy
+#
+
+allow kdump_t self:capability { sys_boot dac_override };
+
+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
+
+files_read_etc_runtime_files(kdump_t)
+files_read_kernel_img(kdump_t)
+
+kernel_read_system_state(kdump_t)
+
+dev_read_framebuffer(kdump_t)
+dev_read_sysfs(kdump_t)
+
+term_use_console(kdump_t)
-- 
cgit v1.2.3