Changeset 2738
- Timestamp:
- 06/25/08 14:39:10
(4 months ago)
- Author:
- cpebenito
- Message:
rbacsep: switch over screen to role template convention.
-
Files:
-
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
| r2737 |
r2738 |
|
| 3 | 3 | ####################################### |
|---|
| 4 | 4 | ## <summary> |
|---|
| 5 | | ## The per role template for the screen module. |
|---|
| | 5 | ## The role template for the screen module. |
|---|
| 6 | 6 | ## </summary> |
|---|
| 7 | | ## <desc> |
|---|
| 8 | | ## <p> |
|---|
| 9 | | ## This template creates a derived domains which are used |
|---|
| 10 | | ## for screen sessions. |
|---|
| 11 | | ## </p> |
|---|
| 12 | | ## <p> |
|---|
| 13 | | ## This template is invoked automatically for each user, and |
|---|
| 14 | | ## generally does not need to be invoked directly |
|---|
| 15 | | ## by policy writers. |
|---|
| 16 | | ## </p> |
|---|
| 17 | | ## </desc> |
|---|
| 18 | | ## <param name="userdomain_prefix"> |
|---|
| | 7 | ## <param name="role_prefix"> |
|---|
| 19 | 8 | ## <summary> |
|---|
| 20 | | ## The prefix of the user domain (e.g., user |
|---|
| 21 | | ## is the prefix for user_t). |
|---|
| | 9 | ## The prefix of the user role (e.g., user |
|---|
| | 10 | ## is the prefix for user_r). |
|---|
| | 11 | ## </summary> |
|---|
| | 12 | ## </param> |
|---|
| | 13 | ## <param name="user_role"> |
|---|
| | 14 | ## <summary> |
|---|
| | 15 | ## The role associated with the user domain. |
|---|
| 22 | 16 | ## </summary> |
|---|
| 23 | 17 | ## </param> |
|---|
| … | … | |
| 27 | 21 | ## </summary> |
|---|
| 28 | 22 | ## </param> |
|---|
| 29 | | ## <param name="user_role"> |
|---|
| 30 | | ## <summary> |
|---|
| 31 | | ## The role associated with the user domain. |
|---|
| 32 | | ## </summary> |
|---|
| 33 | | ## </param> |
|---|
| 34 | 23 | # |
|---|
| 35 | | template(`screen_per_role_template',` |
|---|
| | 24 | template(`screen_role_template',` |
|---|
| 36 | 25 | gen_require(` |
|---|
| 37 | 26 | type screen_dir_t, screen_exec_t; |
|---|
| … | … | |
| 44 | 33 | |
|---|
| 45 | 34 | type $1_screen_t; |
|---|
| 46 | | application_domain($1_screen_t, |
|---|
| | 35 | application_domain($1_screen_t, screen_exec_t) |
|---|
| 47 | 36 | domain_interactive_fd($1_screen_t) |
|---|
| 48 | | role $3 types $1_screen_t; |
|---|
| | 37 | role $2 types $1_screen_t; |
|---|
| 49 | 38 | |
|---|
| 50 | | type $1_screen_tmp_t; |
|---|
| 51 | | files_tmp_file($1_screen_tmp_t) |
|---|
| 52 | | |
|---|
| 53 | | type $1_screen_ro_home_t; |
|---|
| 54 | | files_type($1_screen_ro_home_t) |
|---|
| 55 | | |
|---|
| 56 | | type $1_screen_var_run_t; |
|---|
| 57 | | files_pid_file($1_screen_var_run_t) |
|---|
| 58 | | |
|---|
| 59 | 39 | ######################################## |
|---|
| 60 | 40 | # |
|---|
| … | … | |
| 71 | 51 | allow $1_screen_t self:unix_dgram_socket create_socket_perms; |
|---|
| 72 | 52 | |
|---|
| 73 | | manage_dirs_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t) |
|---|
| 74 | | manage_files_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t) |
|---|
| 75 | | manage_fifo_files_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t) |
|---|
| 76 | | files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir }) |
|---|
| | 53 | manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) |
|---|
| | 54 | manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) |
|---|
| | 55 | manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) |
|---|
| | 56 | files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir }) |
|---|
| 77 | 57 | |
|---|
| 78 | 58 | # Create fifo |
|---|
| 79 | | manage_fifo_files_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t) |
|---|
| 80 | | manage_dirs_pattern($1_screen_t,screen_dir_t,screen_dir_t) |
|---|
| 81 | | filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file) |
|---|
| 82 | | files_pid_filetrans($1_screen_t,screen_dir_t,dir) |
|---|
| | 59 | manage_fifo_files_pattern($1_screen_t, screen_dir_t, screen_var_run_t) |
|---|
| | 60 | manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t) |
|---|
| | 61 | filetrans_pattern($1_screen_t, screen_dir_t, screen_var_run_t, fifo_file) |
|---|
| | 62 | files_pid_filetrans($1_screen_t, screen_dir_t, dir) |
|---|
| 83 | 63 | |
|---|
| 84 | | allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms; |
|---|
| 85 | | read_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t) |
|---|
| 86 | | read_lnk_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t) |
|---|
| | 64 | allow $1_screen_t screen_home_t:dir list_dir_perms; |
|---|
| | 65 | read_files_pattern($1_screen_t, screen_home_t, screen_home_t) |
|---|
| | 66 | read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) |
|---|
| 87 | 67 | |
|---|
| 88 | | allow $1_screen_t $2:process signal; |
|---|
| | 68 | allow $1_screen_t $3:process signal; |
|---|
| 89 | 69 | |
|---|
| 90 | | domtrans_pattern($2, screen_exec_t, $1_screen_t) |
|---|
| 91 | | allow $2 $1_screen_t:process signal; |
|---|
| 92 | | allow $1_screen_t $2:process signal; |
|---|
| | 70 | domtrans_pattern($3, screen_exec_t, $1_screen_t) |
|---|
| | 71 | allow $3 $1_screen_t:process signal; |
|---|
| | 72 | allow $1_screen_t $3:process signal; |
|---|
| 93 | 73 | |
|---|
| 94 | | manage_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) |
|---|
| 95 | | manage_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) |
|---|
| 96 | | manage_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) |
|---|
| 97 | | relabel_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) |
|---|
| 98 | | relabel_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) |
|---|
| 99 | | relabel_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) |
|---|
| | 74 | manage_dirs_pattern($3, screen_home_t, screen_home_t) |
|---|
| | 75 | manage_files_pattern($3, screen_home_t, screen_home_t) |
|---|
| | 76 | manage_lnk_files_pattern($3, screen_home_t, screen_home_t) |
|---|
| | 77 | relabel_dirs_pattern($3, screen_home_t, screen_home_t) |
|---|
| | 78 | relabel_files_pattern($3, screen_home_t, screen_home_t) |
|---|
| | 79 | relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) |
|---|
| 100 | 80 | |
|---|
| 101 | 81 | kernel_read_system_state($1_screen_t) |
|---|
| … | … | |
| 108 | 88 | corecmd_read_bin_sockets($1_screen_t) |
|---|
| 109 | 89 | # Revert to the user domain when a shell is executed. |
|---|
| 110 | | corecmd_shell_domtrans($1_screen_t,$2) |
|---|
| 111 | | corecmd_bin_domtrans($1_screen_t,$2) |
|---|
| | 90 | corecmd_shell_domtrans($1_screen_t, $3) |
|---|
| | 91 | corecmd_bin_domtrans($1_screen_t, $3) |
|---|
| 112 | 92 | |
|---|
| 113 | 93 | corenet_all_recvfrom_unlabeled($1_screen_t) |
|---|
| … | … | |
| 154 | 134 | sysnet_read_config($1_screen_t) |
|---|
| 155 | 135 | |
|---|
| 156 | | userdom_use_user_terminals($1,$1_screen_t) |
|---|
| 157 | | userdom_create_user_pty($1,$1_screen_t) |
|---|
| 158 | | userdom_user_home_domtrans($1,$1_screen_t,$2) |
|---|
| 159 | | userdom_setattr_user_ptys($1,$1_screen_t) |
|---|
| | 136 | userdom_use_user_terminals($1_screen_t) |
|---|
| | 137 | userdom_create_user_pty($1_screen_t) |
|---|
| | 138 | userdom_user_home_domtrans($1_screen_t, $3) |
|---|
| | 139 | userdom_setattr_user_ptys($1_screen_t) |
|---|
| 160 | 140 | |
|---|
| 161 | 141 | tunable_policy(`read_default_t',` |
|---|
| … | … | |
| 168 | 148 | |
|---|
| 169 | 149 | tunable_policy(`use_samba_home_dirs',` |
|---|
| 170 | | fs_cifs_domtrans($1_screen_t,$2) |
|---|
| | 150 | fs_cifs_domtrans($1_screen_t, $3) |
|---|
| 171 | 151 | fs_read_cifs_symlinks($1_screen_t) |
|---|
| 172 | 152 | fs_list_cifs($1_screen_t) |
|---|
| … | … | |
| 174 | 154 | |
|---|
| 175 | 155 | tunable_policy(`use_nfs_home_dirs',` |
|---|
| 176 | | fs_nfs_domtrans($1_screen_t,$2) |
|---|
| | 156 | fs_nfs_domtrans($1_screen_t, $3) |
|---|
| 177 | 157 | fs_list_nfs($1_screen_t) |
|---|
| 178 | 158 | fs_read_nfs_symlinks($1_screen_t) |
|---|
| r2737 |
r2738 |
|
| 12 | 12 | type screen_exec_t; |
|---|
| 13 | 13 | application_executable_file(screen_exec_t) |
|---|
| | 14 | |
|---|
| | 15 | type screen_tmp_t; |
|---|
| | 16 | files_tmp_file(screen_tmp_t) |
|---|
| | 17 | |
|---|
| | 18 | type screen_home_t; |
|---|
| | 19 | userdom_user_home_content(screen_home_t) |
|---|
| | 20 | |
|---|
| | 21 | type screen_var_run_t; |
|---|
| | 22 | files_pid_file(screen_var_run_t) |
|---|
| r2736 |
r2738 |
|
| 125 | 125 | |
|---|
| 126 | 126 | optional_policy(` |
|---|
| 127 | | screen_role(auditadm_r, auditadm_t) |
|---|
| | 127 | screen_role_template(auditadm, auditadm_r, auditadm_t) |
|---|
| 128 | 128 | ') |
|---|
| 129 | 129 | |
|---|
| r2736 |
r2738 |
|
| 137 | 137 | |
|---|
| 138 | 138 | optional_policy(` |
|---|
| 139 | | screen_role(secadm_r, secadm_t) |
|---|
| | 139 | screen_role_template(secadm, secadm_r, secadm_t) |
|---|
| 140 | 140 | ') |
|---|
| 141 | 141 | |
|---|
| r2736 |
r2738 |
|
| 105 | 105 | |
|---|
| 106 | 106 | optional_policy(` |
|---|
| 107 | | screen_role(staff_r, staff_t) |
|---|
| | 107 | screen_role_template(staff, staff_r, staff_t) |
|---|
| 108 | 108 | ') |
|---|
| 109 | 109 | |
|---|
| r2736 |
r2738 |
|
| 334 | 334 | |
|---|
| 335 | 335 | optional_policy(` |
|---|
| 336 | | screen_role(sysadm_r, sysadm_t) |
|---|
| | 336 | screen_role_template(sysadm, sysadm_r, sysadm_t) |
|---|
| 337 | 337 | ') |
|---|
| 338 | 338 | |
|---|
| r2736 |
r2738 |
|
| 99 | 99 | |
|---|
| 100 | 100 | optional_policy(` |
|---|
| 101 | | screen_role(user_r, user_t) |
|---|
| | 101 | screen_role_template(user, user_r, user_t) |
|---|
| 102 | 102 | ') |
|---|
| 103 | 103 | |
|---|
Download in other formats:
* Generating other formats may take time.
