Navigation

← Previous Changeset
Next Changeset →

Changeset 2689

Timestamp:

05/22/08 08:54:28 (7 months ago)

Author:

pebenito

Message:

rbacsep: more per_role_template replacement interfaces and calls.

Files:

branches/rbacsep/policy/modules/roles/auditadm.te (modified) (6 diffs)
branches/rbacsep/policy/modules/roles/secadm.te (modified) (5 diffs)
branches/rbacsep/policy/modules/roles/staff.te (modified) (5 diffs)
branches/rbacsep/policy/modules/roles/sysadm.te (modified) (9 diffs)
branches/rbacsep/policy/modules/roles/unprivuser.te (modified) (5 diffs)
branches/rbacsep/policy/modules/services/apache.if (modified) (1 diff)
branches/rbacsep/policy/modules/services/apache.te (modified) (1 diff)
branches/rbacsep/policy/modules/services/bluetooth.if (modified) (1 diff)
branches/rbacsep/policy/modules/services/cron.if (modified) (3 diffs)
branches/rbacsep/policy/modules/services/cron.te (modified) (4 diffs)
branches/rbacsep/policy/modules/services/dbus.if (modified) (1 diff)
branches/rbacsep/policy/modules/services/dbus.te (modified) (3 diffs)
branches/rbacsep/policy/modules/services/lpd.if (modified) (1 diff)
branches/rbacsep/policy/modules/services/lpd.te (modified) (2 diffs)
branches/rbacsep/policy/modules/services/mta.if (modified) (1 diff)
branches/rbacsep/policy/modules/services/mta.te (modified) (1 diff)
branches/rbacsep/policy/modules/services/pyzor.if (modified) (1 diff)
branches/rbacsep/policy/modules/services/razor.if (modified) (1 diff)
branches/rbacsep/policy/modules/services/razor.te (modified) (1 diff)
branches/rbacsep/policy/modules/services/spamassassin.if (modified) (1 diff)
branches/rbacsep/policy/modules/services/spamassassin.te (modified) (2 diffs)
branches/rbacsep/policy/modules/services/ssh.if (modified) (1 diff)
branches/rbacsep/policy/modules/services/ssh.te (modified) (6 diffs)
branches/rbacsep/policy/modules/system/userdomain.if (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/rbacsep/policy/modules/roles/auditadm.te

r2687	r2689
33	33
34	34	optional_policy(`
	35	apache_role(auditadm_r, auditadm_t)
	36	')
	37
	38	optional_policy(`
	39	bluetooth_role(auditadm_r, auditadm_t)
	40	')
	41
	42	optional_policy(`
35	43	cdrecord_role(auditadm_r, auditadm_t)
36	44	')
…	…
38	46	optional_policy(`
39	47	consoletype_exec(auditadm_t)
	48	')
	49
	50	optional_policy(`
	51	cron_role(auditadm_r, auditadm_t)
	52	')
	53
	54	optional_policy(`
	55	dbus_role(auditadm_r, auditadm_t)
40	56	')
41	57
…	…
81	97
82	98	optional_policy(`
	99	lpd_role(auditadm_r, auditadm_t)
	100	')
	101
	102	optional_policy(`
83	103	mozilla_role(auditadm_r, auditadm_t)
84	104	')
…	…
89	109
90	110	optional_policy(`
	111	mta_role(auditadm_r, auditadm_t)
	112	')
	113
	114	optional_policy(`
	115	pyzor_role(auditadm_r, auditadm_t)
	116	')
	117
	118	optional_policy(`
	119	razor_role(auditadm_r, auditadm_t)
	120	')
	121
	122	optional_policy(`
91	123	rssh_role(auditadm_r, auditadm_t)
92	124	')
…	…
94	126	optional_policy(`
95	127	screen_role(auditadm_r, auditadm_t)
	128	')
	129
	130	optional_policy(`
	131	spamassassin_role(auditadm_r, auditadm_t)
	132	')
	133
	134	optional_policy(`
	135	ssh_role(auditadm_r, auditadm_t)
96	136	')
97	137
…	…
132	172	uml_role(auditadm_r, auditadm_t)
133	173	')
	174
	175	optional_policy(`
	176	xserver_role(auditadm_r, auditadm_t)
	177	')

branches/rbacsep/policy/modules/roles/secadm.te

r2687	r2689
45	45
46	46	optional_policy(`
	47	apache_role(secadm_r, secadm_t)
	48	')
	49
	50	optional_policy(`
47	51	auditadm_role_change_template(secadm)
48	52	')
49	53
50	54	optional_policy(`
	55	bluetooth_role(secadm_r, secadm_t)
	56	')
	57
	58	optional_policy(`
51	59	cdrecord_role(secadm_r, secadm_t)
	60	')
	61
	62	optional_policy(`
	63	cron_role(secadm_r, secadm_t)
	64	')
	65
	66	optional_policy(`
	67	dbus_role(secadm_r, secadm_t)
52	68	')
53	69
…	…
89	105
90	106	optional_policy(`
91		~~netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }~~)
	107	lpd_role(secadm_r, secadm_t)
92	108	')
93	109
…	…
101	117
102	118	optional_policy(`
	119	mta_role(secadm_r, secadm_t)
	120	')
	121
	122	optional_policy(`
	123	netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
	124	')
	125
	126	optional_policy(`
	127	pyzor_role(secadm_r, secadm_t)
	128	')
	129
	130	optional_policy(`
	131	razor_role(secadm_r, secadm_t)
	132	')
	133
	134	optional_policy(`
103	135	rssh_role(secadm_r, secadm_t)
104	136	')
…	…
106	138	optional_policy(`
107	139	screen_role(secadm_r, secadm_t)
	140	')
	141
	142	optional_policy(`
	143	spamassassin_role(secadm_r, secadm_t)
	144	')
	145
	146	optional_policy(`
	147	ssh_role(secadm_r, secadm_t)
108	148	')
109	149
…	…
144	184	wireshark_role(secadm_r, secadm_t)
145	185	')
	186
	187	optional_policy(`
	188	xserver_role(secadm_r, secadm_t)
	189	')

branches/rbacsep/policy/modules/roles/staff.te

r2687	r2689
17	17
18	18	optional_policy(`
	19	apache_role(staff_r, staff_t)
	20	')
	21
	22	optional_policy(`
19	23	auditadm_role_change_template(staff)
20	24	')
21	25
22	26	optional_policy(`
	27	bluetooth_role(staff_r, staff_t)
	28	')
	29
	30	optional_policy(`
23	31	cdrecord_role(staff_r, staff_t)
	32	')
	33
	34	optional_policy(`
	35	cron_role(staff_r, staff_t)
	36	')
	37
	38	optional_policy(`
	39	dbus_role(staff_r, staff_t)
24	40	')
25	41
…	…
61	77
62	78	optional_policy(`
	79	lpd_role(staff_r, staff_t)
	80	')
	81
	82	optional_policy(`
63	83	mozilla_role(staff_r, staff_t)
64	84	')
…	…
66	86	optional_policy(`
67	87	mplayer_role(staff_r, staff_t)
	88	')
	89
	90	optional_policy(`
	91	mta_role(staff_r, staff_t)
	92	')
	93
	94	optional_policy(`
	95	pyzor_role(staff_r, staff_t)
	96	')
	97
	98	optional_policy(`
	99	razor_role(staff_r, staff_t)
68	100	')
69	101
…	…
78	110	optional_policy(`
79	111	secadm_role_change_template(staff)
	112	')
	113
	114	optional_policy(`
	115	spamassassin_role(staff_r, staff_t)
	116	')
	117
	118	optional_policy(`
	119	ssh_role(staff_r, staff_t)
80	120	')
81	121
…	…
112	152	wireshark_role(staff_r, staff_t)
113	153	')
	154
	155	optional_policy(`
	156	xserver_role(staff_r, staff_t)
	157	')

branches/rbacsep/policy/modules/roles/sysadm.te

r2687	r2689
67	67	#apache_run_all_scripts(sysadm_t, sysadm_r)
68	68	#apache_domtrans_sys_script(sysadm_t)
	69	apache_role(sysadm_r, sysadm_t)
69	70	')
70	71
…	…
91	92
92	93	optional_policy(`
	94	bluetooth_role(sysadm_r, sysadm_t)
	95	')
	96
	97	optional_policy(`
93	98	bootloader_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
94	99	')
…	…
115	120
116	121	optional_policy(`
117		cron_admin_~~template(sysadm, sysadm_t, sysadm_r~~)
	122	cron_admin_role(sysadm_r, sysadm_t)
118	123	')
119	124
120	125	optional_policy(`
121	126	cvs_exec(sysadm_t)
	127	')
	128
	129	optional_policy(`
	130	dbus_role(sysadm_r, sysadm_t)
122	131	')
123	132
…	…
221	230	lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
222	231	lpr_admin_template(sysadm, sysadm_t, sysadm_r)
	232	lpd_role(sysadm_r, sysadm_t)
223	233	')
224	234
…	…
247	257	optional_policy(`
248	258	mta_admin_template(sysadm, sysadm_t, sysadm_r)
	259	mta_role(sysadm_r, sysadm_t)
249	260	')
250	261
…	…
286	297
287	298	optional_policy(`
	299	pyzor_role(sysadm_r, sysadm_t)
	300	')
	301
	302	optional_policy(`
288	303	quota_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
289	304	')
…	…
291	306	optional_policy(`
292	307	raid_domtrans_mdadm(sysadm_t)
	308	')
	309
	310	optional_policy(`
	311	razor_role(sysadm_r, sysadm_t)
293	312	')
294	313
…	…
325	344	seutil_run_setfiles(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
326	345	seutil_run_runinit(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
	346	')
	347
	348	optional_policy(`
	349	spamassassin_role(sysadm_r, sysadm_t)
	350	')
	351
	352	optional_policy(`
	353	ssh_role(sysadm_r, sysadm_t)
327	354	')
328	355
…	…
406	433
407	434	optional_policy(`
	435	xserver_role(sysadm_r, sysadm_t)
	436	')
	437
	438	optional_policy(`
408	439	yam_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
409	440	')

branches/rbacsep/policy/modules/roles/unprivuser.te

r2687	r2689
15	15
16	16	optional_policy(`
	17	apache_role(user_r, user_t)
	18	')
	19
	20	optional_policy(`
	21	bluetooth_role(user_r, user_t)
	22	')
	23
	24	optional_policy(`
17	25	cdrecord_role(user_r, user_t)
	26	')
	27
	28	optional_policy(`
	29	cron_role(user_r, user_t)
	30	')
	31
	32	optional_policy(`
	33	dbus_role(user_r, user_t)
18	34	')
19	35
…	…
55	71
56	72	optional_policy(`
	73	lpd_role(user_r, user_t)
	74	')
	75
	76	optional_policy(`
57	77	mozilla_role(user_r, user_t)
58	78	')
…	…
63	83
64	84	optional_policy(`
	85	mta_role(user_r, user_t)
	86	')
	87
	88	optional_policy(`
	89	pyzor_role(user_r, user_t)
	90	')
	91
	92	optional_policy(`
	93	razor_role(user_r, user_t)
	94	')
	95
	96	optional_policy(`
65	97	rssh_role(user_r, user_t)
66	98	')
…	…
68	100	optional_policy(`
69	101	screen_role(user_r, user_t)
	102	')
	103
	104	optional_policy(`
	105	spamassassin_role(user_r, user_t)
	106	')
	107
	108	optional_policy(`
	109	ssh_role(user_r, user_t)
70	110	')
71	111
…	…
97	137	wireshark_role(user_r, user_t)
98	138	')
	139
	140	optional_policy(`
	141	xserver_role(user_r, user_t)
	142	')

branches/rbacsep/policy/modules/services/apache.if

r2466	r2689
337	337	########################################
338	338	## <summary>
	339	## Role access for apache
	340	## </summary>
	341	## <param name="role">
	342	## <summary>
	343	## Role allowed access
	344	## </summary>
	345	## </param>
	346	## <param name="domain">
	347	## <summary>
	348	## User domain for the role
	349	## </summary>
	350	## </param>
	351	#
	352	interface(`apache_role',`
	353	gen_require(`
	354	attribute httpdcontent;
	355	type httpd_user_content_t, httpd_user_htaccess_t;
	356	type httpd_user_script_t, httpd_user_script_exec_t;
	357	type httpd_user_script_ra_t, httpd_user_script_ro_t;
	358	type httpd_user_script_rw_t;
	359	')
	360
	361	role $1 types { httpd_user_content_t httpd_user_htaccess_t };
	362	role $1 types { httpd_user_script_t, httpd_user_script_exec_t };
	363	role $1 types { httpd_user_script_ra_t, httpd_user_script_ro_t };
	364	role $1 types httpd_user_script_rw_t;
	365
	366	allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
	367
	368	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
	369
	370	manage_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
	371	manage_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
	372	manage_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
	373	relabel_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
	374	relabel_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
	375	relabel_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
	376
	377	manage_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
	378	manage_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
	379	manage_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
	380	relabel_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
	381	relabel_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
	382	relabel_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
	383
	384	manage_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
	385	manage_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
	386	manage_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
	387	relabel_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
	388	relabel_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
	389	relabel_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
	390
	391	manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
	392	manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
	393	manage_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
	394	relabel_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
	395	relabel_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
	396	relabel_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
	397
	398	tunable_policy(`httpd_enable_cgi',`
	399	# If a user starts a script by hand it gets the proper context
	400	domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
	401	')
	402
	403	tunable_policy(`httpd_enable_cgi && httpd_unified',`
	404	domtrans_pattern($2, httpdcontent, httpd_user_script_t)
	405	')
	406	')
	407
	408	########################################
	409	## <summary>
339	410	## Read httpd user scripts executables.
340	411	## </summary>

branches/rbacsep/policy/modules/services/apache.te

r2686	r2689
733	733	userdom_user_home_content($1,httpd_user_content_t)
734	734
735		~~allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };~~
736
737		~~allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };~~
738
739		~~manage_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)~~
740		~~manage_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)~~
741		~~manage_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)~~
742		~~relabel_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)~~
743		~~relabel_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)~~
744		~~relabel_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)~~
745
746		~~manage_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)~~
747		~~manage_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)~~
748		~~manage_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)~~
749		~~relabel_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)~~
750		~~relabel_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)~~
751		~~relabel_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)~~
752
753		~~manage_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)~~
754		~~manage_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)~~
755		~~manage_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)~~
756		~~relabel_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)~~
757		~~relabel_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)~~
758		~~relabel_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)~~
759
760		~~manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)~~
761		~~manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)~~
762		~~manage_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)~~
763		~~relabel_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)~~
764		~~relabel_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)~~
765		~~relabel_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)~~
766
767		~~tunable_policy(`httpd_enable_cgi',`~~
768		~~# If a user starts a script by hand it gets the proper context~~
769		~~domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)~~
770		')
771
772	735	tunable_policy(`httpd_enable_cgi && httpd_unified',`
773	736	allow httpd_user_script_t httpdcontent:file entrypoint;
774
775		~~domtrans_pattern($2, httpdcontent, httpd_user_script_t)~~
776	737	')
777	738

branches/rbacsep/policy/modules/services/bluetooth.if

r2675	r2689
114	114	########################################
115	115	## <summary>
	116	## Role access for bluetooth
	117	## </summary>
	118	## <param name="role">
	119	## <summary>
	120	## Role allowed access
	121	## </summary>
	122	## </param>
	123	## <param name="domain">
	124	## <summary>
	125	## User domain for the role
	126	## </summary>
	127	## </param>
	128	#
	129	interface(`bluetooth_role',`
	130	gen_require(`
	131	type bluetooth_helper_t, bluetooth_helper_exec_t;
	132	type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t;
	133	')
	134
	135	role $1 types bluetooth_helper_t;
	136	role $1 types { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t };
	137
	138	domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
	139
	140	# allow ps to show cdrecord and allow the user to kill it
	141	ps_process_pattern($2, bluetooth_helper_t)
	142	allow $2 bluetooth_helper_t:process signal;
	143
	144	manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
	145	manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
	146	manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
	147
	148	manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
	149	manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
	150	')
	151
	152	########################################
	153	## <summary>
116	154	## Execute bluetooth in the bluetooth domain.
117	155	## </summary>

branches/rbacsep/policy/modules/services/cron.if

r2686	r2689
301	301	allow $1_t self:process signal_perms;
302	302
303		~~# Transition from the user domain to the derived domain.~~
304		~~domtrans_pattern($2, crontab_exec_t, $1_t)~~
305
306		~~# crontab shows up in user ps~~
307		~~ps_process_pattern($2,$1_t)~~
308
309		~~# for ^Z~~
310		~~allow $2 $1_t:process signal;~~
311
312	303	# Allow crond to read those crontabs in cron spool.
313	304	allow crond_t $1_cron_spool_t:file manage_file_perms;
…	…
331	322
332	323	fs_getattr_xattr_fs($1_t)
333
334		~~# Run helper programs as the user domain~~
335		~~corecmd_bin_domtrans($1_t,$2)~~
336		~~corecmd_shell_domtrans($1_t,$2)~~
337	324
338	325	domain_use_interactive_fds($1_t)
…	…
418	405	########################################
419	406	## <summary>
	407	## Role access for cron
	408	## </summary>
	409	## <param name="role">
	410	## <summary>
	411	## Role allowed access
	412	## </summary>
	413	## </param>
	414	## <param name="domain">
	415	## <summary>
	416	## User domain for the role
	417	## </summary>
	418	## </param>
	419	#
	420	interface(`cron_role',`
	421
	422	role $1 types { cronjob_t crontab_t crontab_tmp_t };
	423
	424	# cronjob shows up in user ps
	425	ps_process_pattern($2, cronjob_t)
	426
	427	# Transition from the user domain to the derived domain.
	428	domtrans_pattern($2, crontab_exec_t, crontab_t)
	429
	430	# crontab shows up in user ps
	431	ps_process_pattern($2, crontab_t)
	432	allow $2 crontab_t:process signal;
	433
	434	# Run helper programs as the user domain
	435	corecmd_bin_domtrans(crontab_t, $2)
	436	corecmd_shell_domtrans(crontab_t, $2)
	437
	438	optional_policy(`
	439	dbus_stub(cronjob_t)
	440
	441	allow cronjob_t $2:dbus send_msg;
	442	')
	443	')
	444
	445	########################################
	446	## <summary>
	447	## Role access for cron
	448	## </summary>
	449	## <param name="role">
	450	## <summary>
	451	## Role allowed access
	452	## </summary>
	453	## </param>
	454	## <param name="domain">
	455	## <summary>
	456	## User domain for the role
	457	## </summary>
	458	## </param>
	459	#
	460	interface(`cron_admin_role',`
	461	gen_require(`
	462	type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
	463	')
	464
	465	role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
	466
	467	# cronjob shows up in user ps
	468	ps_process_pattern($2, cronjob_t)
	469
	470	# Manipulate other users crontab.
	471	allow $2 self:passwd crontab;
	472
	473	# Transition from the user domain to the derived domain.
	474	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
	475
	476	# crontab shows up in user ps
	477	ps_process_pattern($2, admin_crontab_t)
	478	allow $2 admin_crontab_t:process signal;
	479
	480	# Run helper programs as the user domain
	481	corecmd_bin_domtrans(admin_crontab_t, $2)
	482	corecmd_shell_domtrans(admin_crontab_t, $2)
	483
	484	optional_policy(`
	485	dbus_stub(admin_cronjob_t)
	486
	487	allow cronjob_t $2:dbus send_msg;
	488	')
	489	')
	490
	491	########################################
	492	## <summary>
420	493	## Make the specified program domain accessable
421	494	## from the system cron jobs.

branches/rbacsep/policy/modules/services/cron.te

r2686	r2689
27	27	gen_tunable(fcron_crond,false)
28	28
29		~~attribute cron_spool_type;~~
30
31	29	type anacron_exec_t;
32	30	application_executable_file(anacron_exec_t)
…	…
87	85
88	86	# Type of user crontabs once moved to cron spool.
89		type user_cron_spool_t~~, cron_spool_type~~;
	87	type user_cron_spool_t;
90	88	files_type(user_cron_spool_t)
91	89
…	…
95	93	#
96	94
97		~~# Manipulate other users crontab.~~
98		~~allow $2 self:passwd crontab;~~
99
100	95	# Allow our crontab domain to unlink a user cron spool file.
101		allow admin_crontab_t ~~cron_spool_type~~:file { getattr read unlink };
	96	allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
102	97
103	98	# Manipulate other users crontab.
…	…
579	574
580	575	optional_policy(`
581		~~dbus_stub(cronjob_t)~~
582
583		~~allow cronjob_t $2:dbus send_msg;~~
584		')
585
586		~~optional_policy(`~~
587	576	nis_use_ypbind(cronjob_t)
588	577	')

branches/rbacsep/policy/modules/services/dbus.if

r2540	r2689
186	186	')
187	187
	188	########################################
	189	## <summary>
	190	## Role access for dbus
	191	## </summary>
	192	## <param name="role">
	193	## <summary>
	194	## Role allowed access
	195	## </summary>
	196	## </param>
	197	## <param name="domain">
	198	## <summary>
	199	## User domain for the role
	200	## </summary>
	201	## </param>
	202	#
	203	interface(`dbus_role',`
	204	gen_require(`
	205	class dbus { send_msg acquire_svc };
	206
	207	type system_dbusd_t, session_dbusd_t, dbusd_exec_t;
	208	type session_dbusd_tmp_t;
	209	')
	210
	211	role $1 types { session_dbusd_t session_dbusd_tmp_t };
	212
	213	domtrans_pattern($2, dbusd_exec_t, session_dbusd_t)
	214	allow $2 session_dbusd_t:process { sigkill signal };
	215	# For connecting to the bus
	216	allow $2 session_dbusd_t:unix_stream_socket connectto;
	217
	218	# SE-DBus specific permissions
	219	allow $2 session_dbusd_t:dbus { send_msg acquire_svc };
	220	allow $2 system_dbusd_t:dbus { send_msg acquire_svc };
	221
	222	# cjp: this seems very broken
	223	corecmd_bin_domtrans(session_dbusd_t, $2)
	224	allow session_dbusd_t $2:process sigkill;
	225	allow $2 session_dbusd_t:fd use;
	226	allow $2 session_dbusd_t:fifo_file rw_fifo_file_perms;
	227	allow $2 session_dbusd_t:process sigchld;
	228
	229	ifdef(`hide_broken_symptoms', `
	230	dontaudit $2 session_dbusd_t:netlink_selinux_socket { read write };
	231	')
	232	')
	233
188	234	#######################################
189	235	## <summary>

branches/rbacsep/policy/modules/services/dbus.te

r2686	r2689
49	49	allow session_dbusd_t self:netlink_selinux_socket create_socket_perms;
50	50
51		~~# For connecting to the bus~~
52		~~allow $2 session_dbusd_t:unix_stream_socket connectto;~~
53
54	51	# SE-DBus specific permissions
55	52	allow session_dbusd_t self:dbus send_msg;
56		~~allow $2 session_dbusd_t:dbus { send_msg acquire_svc };~~
57		~~allow $2 system_dbusd_t:dbus { send_msg acquire_svc };~~
58	53
59	54	allow session_dbusd_t dbusd_etc_t:dir list_dir_perms;
…	…
61	56	read_lnk_files_pattern(session_dbusd_t, dbusd_etc_t, dbusd_etc_t)
62	57
63		manage_dirs_pattern(session_dbusd_t,~~session_dbusd_tmp_t,~~session_dbusd_tmp_t)
64		manage_files_pattern(session_dbusd_t,~~session_dbusd_tmp_t,~~session_dbusd_tmp_t)
	58	manage_dirs_pattern(session_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
	59	manage_files_pattern(session_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
65	60	files_tmp_filetrans(session_dbusd_t, session_dbusd_tmp_t, { file dir })
66
67		~~domtrans_pattern($2, system_dbusd_exec_t, session_dbusd_t)~~
68		~~allow $2 session_dbusd_t:process { sigkill signal };~~
69
70		~~# cjp: this seems very broken~~
71		~~corecmd_bin_domtrans(session_dbusd_t, $2)~~
72		~~allow session_dbusd_t $2:process sigkill;~~
73		~~allow $2 session_dbusd_t:fd use;~~
74		~~allow $2 session_dbusd_t:fifo_file rw_fifo_file_perms;~~
75		~~allow $2 session_dbusd_t:process sigchld;~~
76	61
77	62	kernel_read_system_state(session_dbusd_t)
…	…
126	111
127	112	userdom_read_user_home_content_files($1, session_dbusd_t)
128
129		~~ifdef(`hide_broken_symptoms', `~~
130		~~dontaudit $2 session_dbusd_t:netlink_selinux_socket { read write };~~
131		')
132	113
133	114	tunable_policy(`read_default_t',`

branches/rbacsep/policy/modules/services/lpd.if

r2675	r2689
235	235	########################################
236	236	## <summary>
	237	## Role access for lpd
	238	## </summary>
	239	## <param name="role">
	240	## <summary>
	241	## Role allowed access
	242	## </summary>
	243	## </param>
	244	## <param name="domain">
	245	## <summary>
	246	## User domain for the role
	247	## </summary>
	248	## </param>
	249	#
	250	interface(`lpd_role',`
	251	gen_require(`
	252	type lpr_t, lpr_exec_t, lpr_tmp_t, print_spool_t;
	253	')
	254
	255	role $1 types { lpr_t lpr_tmp_t print_spool_t };
	256
	257	# Transition from the user domain to the derived domain.
	258	domtrans_pattern($2, lpr_exec_t, lpr_t)
	259	dontaudit lpr_t $2:unix_stream_socket { read write };
	260	allow $2 lpr_t:process signull;
	261
	262	optional_policy(`
	263	cups_read_config($2)
	264	')
	265	')
	266
	267	########################################
	268	## <summary>
237	269	## Execute lpd in the lpd domain.
238	270	## </summary>

branches/rbacsep/policy/modules/services/lpd.te

r2686	r2689
234	234	can_exec(lpr_t, lpr_exec_t)
235	235
236		~~dontaudit lpr_t $2:unix_stream_socket { read write };~~
237
238		~~# Transition from the user domain to the derived domain.~~
239		~~domtrans_pattern($2,lpr_exec_t, lpr_t)~~
240
241		~~allow $2 lpr_t:process signull;~~
242
243	236	# Allow lpd to read, rename, and unlink spool files.
244	237	allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
…	…
347	340	optional_policy(`
348	341	cups_read_config(lpr_t)
349		~~cups_read_config($2)~~
350	342	cups_stream_connect(lpr_t)
351	343	cups_read_pid_files(lpr_t)

branches/rbacsep/policy/modules/services/mta.if

r2543	r2689
287	287	########################################
288	288	## <summary>
	289	## Role access for mta
	290	## </summary>
	291	## <param name="role">
	292	## <summary>
	293	## Role allowed access
	294	## </summary>
	295	## </param>
	296	## <param name="domain">
	297	## <summary>
	298	## User domain for the role
	299	## </summary>
	300	## </param>
	301	#
	302	interface(`mta_role',`
	303	gen_require(`
	304	attribute mta_user_agent;
	305	type user_mail_t, sendmail_exec_t;
	306	')
	307
	308	role $1 types { user_mail_t mta_user_agent };
	309
	310	# Transition from the user domain to the derived domain.
	311	domtrans_pattern($2, sendmail_exec_t, user_mail_t)
	312	allow $2 sendmail_exec_t:lnk_file { getattr read };
	313
	314	allow mta_user_agent $1:fd use;
	315	allow mta_user_agent $1:process sigchld;
	316	allow mta_user_agent $1:fifo_file { read write };
	317	')
	318
	319	########################################
	320	## <summary>
289	321	## Make the specified domain usable for a mail server.
290	322	## </summary>

branches/rbacsep/policy/modules/services/mta.te

r2686	r2689
162	162	# User send mail local policy
163	163	#
164
165		~~# Transition from the user domain to the derived domain.~~
166		~~domtrans_pattern($2, sendmail_exec_t, user_mail_t)~~
167		~~allow $2 sendmail_exec_t:lnk_file { getattr read };~~
168	164
169	165	domain_use_interactive_fds(user_mail_t)

branches/rbacsep/policy/modules/services/pyzor.if

r2437	r2689
36	36	manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
37	37	userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file })
	38	')
	39
	40	########################################
	41	## <summary>
	42	## Role access for pyzor
	43	## </summary>
	44	## <param name="role">
	45	## <summary>
	46	## Role allowed access
	47	## </summary>
	48	## </param>
	49	## <param name="domain">
	50	## <summary>
	51	## User domain for the role
	52	## </summary>
	53	## </param>
	54	#
	55	interface(`pyzor_role',`
	56	gen_require(`
	57	type pyzor_t, pyzor_exec_t;
	58	type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
	59	')
	60
	61	role $1 types { pyzor_t pyzor_home_t pyzor_var_lib_t pyzor_tmp_t };
	62
	63	# Transition from the user domain to the derived domain.
	64	domtrans_pattern($2, pyzor_exec_t, pyzor_t)
	65
	66	# allow ps to show pyzor and allow the user to kill it
	67	ps_process_pattern($2, pyzor_t)
	68	allow $2 pyzor_t:process signal;
38	69	')
39	70

branches/rbacsep/policy/modules/services/razor.if

r2686	r2689
207	207	########################################
208	208	## <summary>
	209	## Role access for razor
	210	## </summary>
	211	## <param name="role">
	212	## <summary>