Changeset 2834

Timestamp:

10/13/08 10:06:23 (2 months ago)

Author:

cpebenito

Message:

trunk: 8 patches from dan.

Files:

• trunk/policy/modules/admin/alsa.te (modified) (2 diffs)
• trunk/policy/modules/admin/amanda.te (modified) (2 diffs)
• trunk/policy/modules/admin/mrtg.te (modified) (7 diffs)
• trunk/policy/modules/admin/netutils.te (modified) (12 diffs)
• trunk/policy/modules/admin/vpn.fc (modified) (1 diff)
• trunk/policy/modules/admin/vpn.te (modified) (3 diffs)
• trunk/policy/modules/services/cvs.fc (modified) (1 diff)
• trunk/policy/modules/services/cvs.if (modified) (1 diff)
• trunk/policy/modules/services/cvs.te (modified) (2 diffs)
• trunk/policy/modules/services/cyrus.fc (modified) (1 diff)
• trunk/policy/modules/services/cyrus.if (modified) (1 diff)
• trunk/policy/modules/services/cyrus.te (modified) (3 diffs)
• trunk/policy/modules/services/kerneloops.fc (modified) (1 diff)
• trunk/policy/modules/services/kerneloops.if (modified) (1 diff)
• trunk/policy/modules/services/kerneloops.te (modified) (3 diffs)

trunk/policy/modules/admin/alsa.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -49 +49 @@
-files_search_home(alsa_t)
-files_read_etc_files(alsa_t)
+files_read_usr_files(alsa_t)
-
-auth_use_nsswitch(alsa_t)
+
+init_use_fds(alsa_t)
-
-libs_use_ld_so(alsa_t)

trunk/policy/modules/admin/amanda.te

@@ -1 +1 @@
-
-2
+3
-
-#######################################
@@ -130 +130 @@
-corenet_udp_bind_all_nodes(amanda_t)
-corenet_tcp_bind_all_rpc_ports(amanda_t)
+corenet_tcp_bind_generic_port(amanda_t)
+corenet_dontaudit_tcp_bind_all_ports(amanda_t)
-
-dev_getattr_all_blk_files(amanda_t)

trunk/policy/modules/admin/mrtg.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -79 +79 @@
-
-domain_use_interactive_fds(mrtg_t)
+domain_dontaudit_search_all_domains_state(mrtg_t)
-
-files_read_usr_files(mrtg_t)
@@ -93 +94 @@
-fs_search_auto_mountpoints(mrtg_t)
-fs_getattr_xattr_fs(mrtg_t)
+fs_list_inotifyfs(mrtg_t)
-
-term_dontaudit_use_console(mrtg_t)
@@ -101 +103 @@
-init_read_utmp(mrtg_t)
-init_dontaudit_write_utmp(mrtg_t)
+
+auth_use_nsswitch(mrtg_t)
-
-libs_read_lib_files(mrtg_t)
@@ -112 +116 @@
-selinux_dontaudit_getattr_dir(mrtg_t)
-
-# Use the network.
-sysnet_read_config(mrtg_t)
-
-userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
-
-sysadm_use_terms(mrtg_t)
+sysadm_dontaudit_read_home_content_files(mrtg_t)
-
-ifdef(`enable_mls',`
@@ -141 +143 @@
-
-optional_policy(`
-        nis_use_ypbind(mrtg_t)
-')
-
-optional_policy(`
-        nscd_dontaudit_search_pid(mrtg_t)
-')
-
-optional_policy(`
-        seutil_sigchld_newrole(mrtg_t)
-')
@@ -163 +157 @@
-        udev_read_db(mrtg_t)
-')
-
-ifdef(`TODO',`
-        # should not need this!
-        dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
-        dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
-        dontaudit mrtg_t root_t:lnk_file getattr;
-')

trunk/policy/modules/admin/netutils.te

@@ -1 +1 @@
-
-1
+2
-
-########################################
@@ -51 +51 @@
-
-kernel_search_proc(netutils_t)
+kernel_read_sysctl(netutils_t)
-
-corenet_all_recvfrom_unlabeled(netutils_t)
@@ -79 +80 @@
-init_use_script_ptys(netutils_t)
-
+auth_use_nsswitch(netutils_t)
+
-libs_use_ld_so(netutils_t)
-libs_use_shared_libs(netutils_t)
@@ -86 +89 @@
-miscfiles_read_localization(netutils_t)
-
-sysnet_read_config(netutils_t)
-
-userdom_use_all_users_fds(netutils_t)
-
-optional_policy(`
-        nis_use_ypbind(netutils_t)
+')
+
+optional_policy(`
+        vmware_append_log(netutils_t)
-')
-
@@ -108 +113 @@
-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:netlink_route_socket create_netlink_socket_perms;
-
-corenet_all_recvfrom_unlabeled(ping_t)
@@ -114 +120 @@
-corenet_raw_sendrecv_all_if(ping_t)
-corenet_raw_sendrecv_all_nodes(ping_t)
+corenet_raw_bind_all_nodes(ping_t)
-corenet_tcp_sendrecv_all_nodes(ping_t)
-corenet_tcp_sendrecv_all_ports(ping_t)
@@ -124 +131 @@
-files_dontaudit_search_var(ping_t)
-
+auth_use_nsswitch(ping_t)
+
-libs_use_ld_so(ping_t)
-libs_use_shared_libs(ping_t)
@@ -130 +139 @@
-
-miscfiles_read_localization(ping_t)
-
-sysnet_read_config(ping_t)
-sysnet_dns_name_resolve(ping_t)
-
-ifdef(`hide_broken_symptoms',`
@@ -144 +150 @@
-
-optional_policy(`
-        nis_use_ypbind(ping_t)
-')
-
-optional_policy(`
-        nscd_socket_use(ping_t)
-')
-
-optional_policy(`
-        pcmcia_use_cardmgr_fds(ping_t)
-')
@@ -167 +165 @@
-allow traceroute_t self:rawip_socket create_socket_perms;
-allow traceroute_t self:packet_socket create_socket_perms;
-allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-allow traceroute_t self:udp_socket create_socket_perms;
-
@@ -201 +198 @@
-init_use_fds(traceroute_t)
-
+auth_use_nsswitch(traceroute_t)
+
-libs_use_ld_so(traceroute_t)
-libs_use_shared_libs(traceroute_t)
@@ -213 +212 @@
-files_read_usr_files(traceroute_t)
-
-sysnet_read_config(traceroute_t)
-
-tunable_policy(`user_ping',`
-        term_use_all_user_ttys(traceroute_t)
-        term_use_all_user_ptys(traceroute_t)
-')
-
-optional_policy(`
-        nis_use_ypbind(traceroute_t)
-')
-
-optional_policy(`
-        nscd_socket_use(traceroute_t)
-')

trunk/policy/modules/admin/vpn.fc

@@ -7 +7 @@
-# /usr
-#
+/usr/bin/openconnect    --      gen_context(system_u:object_r:vpnc_exec_t,s0)
+
-/usr/sbin/vpnc          --      gen_context(system_u:object_r:vpnc_exec_t,s0)
-

trunk/policy/modules/admin/vpn.te

@@ -1 +1 @@
-
-1
+2
-
-########################################
@@ -24 +24 @@
-
-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
-getsched
+{ getsched signal }
-allow vpnc_t self:fifo_file rw_fifo_file_perms;
-allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -45 +45 @@
-kernel_read_system_state(vpnc_t)
-kernel_read_network_state(vpnc_t)
-kerne
+al
-kernel_rw_net_sysctls(vpnc_t)
-

trunk/policy/modules/services/cvs.fc

@@ -6 +6 @@
-/var/cvs(/.*)?          gen_context(system_u:object_r:cvs_data_t,s0)
-
+#CVSWeb file context
+/usr/share/cvsweb/cvsweb\.cgi   --      gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/var/www/cgi-bin/cvsweb\.cgi    --      gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)

trunk/policy/modules/services/cvs.if

@@ -70 +70 @@
-        role_transition $2 cvs_initrc_exec_t system_r;
-        allow $2 system_r;
+
+        files_list_tmp($1)
+        admin_pattern($1, cvs_tmp_t)
+
+        admin_pattern($1, cvs_data_t)
+
+        files_list_pids($1)
+        admin_pattern($1, cvs_var_run_t)
-')

trunk/policy/modules/services/cvs.te

@@ -1 +1 @@
-
-1
+2
-
-########################################
@@ -100 +100 @@
-
-optional_policy(`
-read_keytab(
+keytab_template(cvs, 
-        kerberos_read_config(cvs_t)
-        kerberos_dontaudit_write_config(cvs_t)
-')
+
+########################################
+#
+# CVSWeb policy
+#
+
+optional_policy(`
+        apache_content_template(cvs)
+
+        read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+        manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+        manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+')

trunk/policy/modules/services/cyrus.fc

@@ +1 @@
+/etc/rc\.d/init\.d/cyrus                --      gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
-
-/usr/lib(64)?/cyrus-imapd/cyrus-master  --      gen_context(system_u:object_r:cyrus_exec_t,s0)

trunk/policy/modules/services/cyrus.if

@@ -40 +40 @@
-        stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
-')
+
+########################################
+## <summary>
+##      All of the rules required to administrate 
+##      an cyrus environment
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed to manage the cyrus domain.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cyrus_admin',`
+        gen_require(`
+                type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
+                type cyrus_var_run_t, cyrus_initrc_exec_t;
+        ')
+
+        allow $1 cyrus_t:process { ptrace signal_perms };
+        ps_process_pattern($1, cyrus_t)
+
+        init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
+        domain_system_change_exemption($1)
+        role_transition $2 cyrus_initrc_exec_t system_r;
+        allow $2 system_r;
+
+        files_list_tmp($1)
+        admin_pattern($1, cyrus_tmp_t)
+
+        files_list_var_lib($1)
+        admin_pattern($1, cyrus_var_lib_t)
+
+        files_list_pids($1)
+        admin_pattern($1, cyrus_var_run_t)
+')
+
+

trunk/policy/modules/services/cyrus.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -10 +10 @@
-type cyrus_exec_t;
-init_daemon_domain(cyrus_t, cyrus_exec_t)
+
+type cyrus_initrc_exec_t;
+init_script_file(cyrus_initrc_exec_t)
-
-type cyrus_tmp_t;
@@ -121 +124 @@
-
-optional_policy(`
-use(
+keytab_template(cyrus, 
-')
-

trunk/policy/modules/services/kerneloops.fc

@@ +1 @@
+/etc/rc\.d/init\.d/kerneloops   --      gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0)
+
-/usr/sbin/kerneloops    --      gen_context(system_u:object_r:kerneloops_exec_t,s0)

trunk/policy/modules/services/kerneloops.if

@@ -72 +72 @@
-##      </summary>
-## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed to manage the kerneloops domain.
+##      </summary>
+## </param>
-## <rolecap/>
-#
-interface(`kerneloops_admin',`
-        gen_require(`
-
+, kerneloops_initrc_exec_t
-        ')
-
-        allow $1 kerneloops_t:process { ptrace signal_perms };
-        ps_process_pattern($1, kerneloops_t)
+
+        init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
+        domain_system_change_exemption($1)
+        role_transition $2 kerneloops_initrc_exec_t system_r;
+        allow $2 system_r;
-')

trunk/policy/modules/services/kerneloops.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -11 +11 @@
-init_daemon_domain(kerneloops_t, kerneloops_exec_t)
-
+type kerneloops_initrc_exec_t;
+init_script_file(kerneloops_initrc_exec_t)
+
-########################################
-#
@@ -17 +20 @@
-
-allow kerneloops_t self:capability sys_nice;
-
+signal 
-allow kerneloops_t self:fifo_file rw_file_perms;
+allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
-
-kernel_read_ring_buffer(kerneloops_t)