diff options
| author | Chris PeBenito <cpebenito@tresys.com> | 2009-09-02 08:33:25 -0400 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2009-09-02 08:33:25 -0400 |
| commit | 71965a1fc58af381ad42a19d3bf5fe8fd54cbfb7 (patch) | |
| tree | 38ff205764bcd73f3f3c339a5419e0e677ce720a | |
| parent | a4b6385b9d4abfbc246d3ebb7edd632394060327 (diff) | |
add kdump from dan.
| -rw-r--r-- | Changelog | 1 | ||||
| -rw-r--r-- | policy/modules/system/kdump.fc | 5 | ||||
| -rw-r--r-- | policy/modules/system/kdump.if | 111 | ||||
| -rw-r--r-- | policy/modules/system/kdump.te | 36 |
4 files changed, 153 insertions, 0 deletions
@@ -10,6 +10,7 @@ - Add missing compatibility aliases for xdm_xserver*_t types. - Added modules: hddtemp (Dan Walsh) + kdump (Dan Walsh) * Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730 - Gentoo fixes for init scripts and system startup. diff --git a/policy/modules/system/kdump.fc b/policy/modules/system/kdump.fc new file mode 100644 index 00000000..c66934fb --- /dev/null +++ b/policy/modules/system/kdump.fc @@ -0,0 +1,5 @@ +/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) +/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) + +/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) +/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) diff --git a/policy/modules/system/kdump.if b/policy/modules/system/kdump.if new file mode 100644 index 00000000..19e65b83 --- /dev/null +++ b/policy/modules/system/kdump.if @@ -0,0 +1,111 @@ +## <summary>Kernel crash dumping mechanism</summary> + +###################################### +## <summary> +## Execute kdump in the kdump domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`kdump_domtrans',` + gen_require(` + type kdump_t, kdump_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, kdump_exec_t, kdump_t) +') + +####################################### +## <summary> +## Execute kdump in the kdump domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`kdump_initrc_domtrans',` + gen_require(` + type kdump_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, kdump_initrc_exec_t) +') + +##################################### +## <summary> +## Read kdump configuration file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kdump_read_config',` + gen_require(` + type kdump_etc_t; + ') + + files_search_etc($1) + allow $1 kdump_etc_t:file read_file_perms; +') + +#################################### +## <summary> +## Manage kdump configuration file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kdump_manage_config',` + gen_require(` + type kdump_etc_t; + ') + + files_search_etc($1) + allow $1 kdump_etc_t:file manage_file_perms; +') + +###################################### +## <summary> +## All of the rules required to administrate +## an kdump environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the kdump domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`kdump_admin',` + gen_require(` + type kdump_t, kdump_etc_t; + type kdump_initrc_exec_t; + ') + + allow $1 kdump_t:process { ptrace signal_perms }; + ps_process_pattern($1, kdump_t) + + init_labeled_script_domtrans($1, kdump_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 kdump_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, kdump_etc_t) +') diff --git a/policy/modules/system/kdump.te b/policy/modules/system/kdump.te new file mode 100644 index 00000000..a5a75262 --- /dev/null +++ b/policy/modules/system/kdump.te @@ -0,0 +1,36 @@ + +policy_module(kdump, 1.0.0) + +####################################### +# +# Declarations +# + +type kdump_t; +type kdump_exec_t; +init_system_domain(kdump_t, kdump_exec_t) + +type kdump_etc_t; +files_config_file(kdump_etc_t) + +type kdump_initrc_exec_t; +init_script_file(kdump_initrc_exec_t) + +##################################### +# +# kdump local policy +# + +allow kdump_t self:capability { sys_boot dac_override }; + +read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) + +files_read_etc_runtime_files(kdump_t) +files_read_kernel_img(kdump_t) + +kernel_read_system_state(kdump_t) + +dev_read_framebuffer(kdump_t) +dev_read_sysfs(kdump_t) + +term_use_console(kdump_t) |