[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

[Kenton Groombridge]

commit:     d800e3e8f46a54c1ab5b041deaafbe090b168c83
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 14:45:49 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:29 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d800e3e8

hddtemp: add missing rules for interactive usage

Add missing rules required for hddtemp admins to interactively run
hddtemp.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/hddtemp.if | 29 +++++++++++++++++++++++++++++
 policy/modules/services/hddtemp.te |  4 ++++
 2 files changed, 33 insertions(+)

diff --git a/policy/modules/services/hddtemp.if 
b/policy/modules/services/hddtemp.if
index 269bafd18..2cecebd4e 100644
--- a/policy/modules/services/hddtemp.if
+++ b/policy/modules/services/hddtemp.if
@@ -19,6 +19,33 @@ interface(`hddtemp_domtrans',`
        domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
 ')
 
+########################################
+## <summary>
+##     Execute hddtemp in the hddtemp domain, and
+##     allow the specified role the hdd domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`hddtemp_run',`
+       gen_require(`
+               type hddtemp_t;
+       ')
+
+       hddtemp_domtrans($1)
+       role $2 types hddtemp_t;
+')
+
+
 ######################################
 ## <summary>
 ##     Execute hddtemp in the caller domain.
@@ -60,6 +87,8 @@ interface(`hddtemp_admin',`
                type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
        ')
 
+       hddtemp_run($1, $2)
+
        allow $1 hddtemp_t:process { ptrace signal_perms };
        ps_process_pattern($1, hddtemp_t)
 

diff --git a/policy/modules/services/hddtemp.te 
b/policy/modules/services/hddtemp.te
index 35361704b..9357031f9 100644
--- a/policy/modules/services/hddtemp.te
+++ b/policy/modules/services/hddtemp.te
@@ -34,6 +34,8 @@ corenet_tcp_bind_generic_node(hddtemp_t)
 corenet_tcp_bind_hddtemp_port(hddtemp_t)
 corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
 
+domain_use_interactive_fds(hddtemp_t)
+
 files_search_etc(hddtemp_t)
 files_read_usr_files(hddtemp_t)
 
@@ -45,3 +47,5 @@ auth_use_nsswitch(hddtemp_t)
 logging_send_syslog_msg(hddtemp_t)
 
 miscfiles_read_localization(hddtemp_t)
+
+userdom_use_user_terminals(hddtemp_t)