trunk: 4 patches from dan.

This commit is contained in:
Chris PeBenito 2008-11-18 19:55:10 +00:00
parent 659c8650c7
commit 01e9e7dbf5
10 changed files with 232 additions and 16 deletions

View File

@ -1,4 +1,7 @@
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)

View File

@ -1 +1,97 @@
## <summary>dnsmasq DNS forwarder and DHCP server</summary>
########################################
## <summary>
## Execute dnsmasq server in the dnsmasq domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
#
interface(`dnsmasq_domtrans',`
gen_require(`
type dnsmasq_exec_t, dnsmasq_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
')
########################################
## <summary>
## Send dnsmasq a signal
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
#
interface(`dnsmasq_signal',`
gen_require(`
type dnsmasq_t;
')
allow $1 dnsmasq_t:process signal;
')
########################################
## <summary>
## Send dnsmasq a kill signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
#
interface(`dnsmasq_kill',`
gen_require(`
type dnsmasq_t;
')
allow $1 dnsmasq_t:process sigkill;
')
########################################
## <summary>
## All of the rules required to administrate
## an dnsmasq environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the dnsmasq domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
type dnsmasq_initrc_exec_t;
')
allow $1 dnsmasq_t:process { ptrace signal_perms };
ps_process_pattern($1, dnsmasq_t)
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(dnsmasq, 1.6.1)
policy_module(dnsmasq, 1.6.2)
########################################
#
@ -10,6 +10,9 @@ type dnsmasq_t;
type dnsmasq_exec_t;
init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
type dnsmasq_initrc_exec_t;
init_script_file(dnsmasq_initrc_exec_t)
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
@ -23,7 +26,7 @@ files_pid_file(dnsmasq_var_run_t)
allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process { setcap signal_perms };
allow dnsmasq_t self:process { getcap setcap signal_perms };
allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
@ -32,7 +35,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;
# dhcp leases
allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
@ -55,8 +58,7 @@ corenet_udp_sendrecv_all_ports(dnsmasq_t)
corenet_tcp_bind_all_nodes(dnsmasq_t)
corenet_udp_bind_all_nodes(dnsmasq_t)
corenet_tcp_bind_dns_port(dnsmasq_t)
corenet_udp_bind_dns_port(dnsmasq_t)
corenet_udp_bind_dhcpd_port(dnsmasq_t)
corenet_udp_bind_all_ports(dnsmasq_t)
corenet_sendrecv_dns_server_packets(dnsmasq_t)
corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
@ -91,3 +93,7 @@ optional_policy(`
optional_policy(`
udev_read_db(dnsmasq_t)
')
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
')

View File

@ -5,6 +5,7 @@
#
/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
#
# /usr

View File

@ -52,10 +52,11 @@ interface(`mysql_tcp_connect',`
#
interface(`mysql_stream_connect',`
gen_require(`
type mysqld_t, mysqld_var_run_t;
type mysqld_t, mysqld_var_run_t, mysqld_db_t;
')
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
########################################
@ -178,3 +179,46 @@ interface(`mysql_write_log',`
logging_search_logs($1)
allow $1 mysqld_log_t:file { write_file_perms setattr };
')
########################################
## <summary>
## All of the rules required to administrate an mysql environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the mysql domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`mysql_admin',`
gen_require(`
type mysqld_t, mysqld_var_run_t;
type mysqld_tmp_t, mysqld_db_t;
type mysqld_etc_t, mysqld_log_t;
type mysqld_initrc_exec_t;
')
allow $1 mysqld_t:process { ptrace signal_perms };
ps_process_pattern($1, mysqld_t)
init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
admin_pattern($1, mysqld_var_run_t)
admin_pattern($1, mysqld_db_t)
admin_pattern($1, mysqld_etc_t)
admin_pattern($1, mysqld_log_t)
admin_pattern($1, mysqld_tmp_t)
')

View File

@ -1,5 +1,5 @@
policy_module(mysql, 1.9.1)
policy_module(mysql, 1.9.2)
########################################
#
@ -19,6 +19,9 @@ files_type(mysqld_db_t)
type mysqld_etc_t alias etc_mysqld_t;
files_config_file(mysqld_etc_t)
type mysqld_initrc_exec_t;
init_script_file(mysqld_initrc_exec_t)
type mysqld_log_t;
logging_log_file(mysqld_log_t)
@ -34,6 +37,7 @@ allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bin
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:shm create_shm_perms;
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:udp_socket create_socket_perms;
@ -79,6 +83,7 @@ dev_read_sysfs(mysqld_t)
fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)
fs_rw_hugetlbfs_files(mysqld_t)
domain_use_interactive_fds(mysqld_t)

View File

@ -1,2 +1,5 @@
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)

View File

@ -39,3 +39,41 @@ interface(`procmail_exec',`
corecmd_search_bin($1)
can_exec($1, procmail_exec_t)
')
########################################
## <summary>
## Read procmail tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`procmail_read_tmp_files',`
gen_require(`
type procmail_tmp_t;
')
files_search_tmp($1)
allow $1 procmail_tmp_t:file read_file_perms;
')
########################################
## <summary>
## Read/write procmail tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`procmail_rw_tmp_files',`
gen_require(`
type procmail_tmp_t;
')
files_search_tmp($1)
rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
')

View File

@ -1,5 +1,5 @@
policy_module(procmail, 1.9.1)
policy_module(procmail, 1.9.2)
########################################
#
@ -11,6 +11,9 @@ type procmail_exec_t;
application_domain(procmail_t, procmail_exec_t)
role system_r types procmail_t;
type procmail_log_t;
logging_log_file(procmail_log_t)
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
@ -29,6 +32,13 @@ allow procmail_t self:udp_socket create_socket_perms;
can_exec(procmail_t,procmail_exec_t)
# Write log to /var/log/procmail.log or /var/log/procmail/.*
allow procmail_t procmail_log_t:dir setattr;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@ -58,6 +68,7 @@ auth_use_nsswitch(procmail_t)
corecmd_exec_bin(procmail_t)
corecmd_exec_shell(procmail_t)
corecmd_read_bin_symlinks(procmail_t)
files_read_etc_files(procmail_t)
files_read_etc_runtime_files(procmail_t)
@ -118,11 +129,13 @@ optional_policy(`
optional_policy(`
pyzor_domtrans(procmail_t)
pyzor_signal(procmail_t)
')
optional_policy(`
mta_read_config(procmail_t)
sendmail_domtrans(procmail_t)
sendmail_signal(procmail_t)
sendmail_rw_tcp_sockets(procmail_t)
sendmail_rw_unix_stream_sockets(procmail_t)
')
@ -131,7 +144,7 @@ optional_policy(`
corenet_udp_bind_generic_port(procmail_t)
corenet_dontaudit_udp_bind_all_ports(procmail_t)
spamassassin_exec(procmail_t)
spamassassin_exec_client(procmail_t)
spamassassin_domtrans_local_client(procmail_t)
spamassassin_domtrans_client(procmail_t)
spamassassin_read_lib_files(procmail_t)
')

View File

@ -1,5 +1,5 @@
policy_module(rshd, 1.5.1)
policy_module(rshd, 1.5.2)
########################################
#
@ -16,7 +16,7 @@ role system_r types rshd_t;
#
# Local policy
#
allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
@ -33,6 +33,9 @@ corenet_tcp_sendrecv_all_ports(rshd_t)
corenet_udp_sendrecv_all_ports(rshd_t)
corenet_tcp_bind_all_nodes(rshd_t)
corenet_tcp_bind_rsh_port(rshd_t)
corenet_tcp_bind_all_rpc_ports(rshd_t)
corenet_tcp_connect_all_ports(rshd_t)
corenet_tcp_connect_all_rpc_ports(rshd_t)
corenet_sendrecv_rsh_server_packets(rshd_t)
dev_read_urand(rshd_t)
@ -44,17 +47,19 @@ selinux_compute_create_context(rshd_t)
selinux_compute_relabel_context(rshd_t)
selinux_compute_user_contexts(rshd_t)
auth_domtrans_chk_passwd(rshd_t)
corecmd_read_bin_symlinks(rshd_t)
files_list_home(rshd_t)
files_read_etc_files(rshd_t)
files_search_tmp(rshd_t)
auth_use_nsswitch(rshd_t)
auth_login_pgm_domain(rshd_t)
auth_write_login_records(rshd_t)
init_rw_utmp(rshd_t)
logging_send_syslog_msg(rshd_t)
logging_search_logs(rshd_t)
miscfiles_read_localization(rshd_t)
@ -74,7 +79,8 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
kerberos_use(rshd_t)
kerberos_keytab_template(rshd, rshd_t)
kerberos_manage_host_rcache(rshd_t)
')
optional_policy(`
@ -83,4 +89,5 @@ optional_policy(`
optional_policy(`
unconfined_shell_domtrans(rshd_t)
unconfined_signal(rshd_t)
')