add quota

This commit is contained in:
Chris PeBenito 2005-08-11 14:49:58 +00:00
parent 5a3895a9f6
commit 052c953ae5
9 changed files with 297 additions and 1 deletions

View File

@ -8,6 +8,7 @@
* Added policies: * Added policies:
acct acct
mysql mysql
quota
su su
sudo sudo
tmpreaper tmpreaper

View File

@ -0,0 +1,14 @@
/sbin/quota(check|on) -- context_template(system_u:object_r:quota_exec_t,s0)
ifdef(`distro_redhat',`
/usr/sbin/convertquota -- context_template(system_u:object_r:quota_exec_t,s0)
',`
/sbin/convertquota -- context_template(system_u:object_r:quota_exec_t,s0)
')
HOME_ROOT/a?quota\.(user|group) -- context_template(system_u:object_r:quota_db_t,s0)
/var/a?quota\.(user|group) -- context_template(system_u:object_r:quota_db_t,s0)
/var/lib/quota(/.*)? context_template(system_u:object_r:quota_flag_t,s0)

View File

@ -0,0 +1,81 @@
## <summary>File system quota management</summary>
########################################
## <summary>
## Execute quota management tools in the quota domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`quota_domtrans',`
gen_require(`
type quota_t, quota_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,quota_exec_t,quota_t)
allow $1 quota_t:fd use;
allow quota_t $1:fd use;
allow quota_t $1:fifo_file rw_file_perms;
allow quota_t $1:process sigchld;
')
########################################
## <summary>
## Execute quota management tools in the quota domain, and
## allow the specified role the quota domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the quota domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the quota domain to use.
## </param>
#
interface(`quota_run',`
gen_require(`
type quota_t;
class chr_file rw_term_perms;
')
quota_domtrans($1)
role $2 types quota_t;
allow quota_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of filesystem quota data files.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`quota_dontaudit_getattr_db',`
gen_require(`
type quota_db_t;
class file getattr;
')
dontaudit $1 quota_db_t:file getattr;
')
interface(`quota_manage_flags',`
gen_require(`
type quota_flag_t;
class dir rw_dir_perms;
class file create_file_perms;
')
files_search_var_lib($1)
allow $1 quota_flag_t:dir rw_dir_perms;
allow $1 quota_flag_t:file create_file_perms;
')

View File

@ -0,0 +1,89 @@
policy_module(quota,1.0)
########################################
#
# Declarations
#
type quota_t;
type quota_exec_t;
init_system_domain(quota_t,quota_exec_t)
type quota_db_t;
files_type(quota_db_t)
type quota_flag_t;
files_type(quota_flag_t)
allow quota_t self:capability { sys_admin dac_override };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
# for /quota.*
allow quota_t quota_db_t:file { read write quotaon };
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
kernel_read_kernel_sysctl(quota_t)
dev_read_sysfs(quota_t)
dev_getattr_all_blk_files(quota_t)
dev_getattr_all_chr_files(quota_t)
fs_get_xattr_fs_quota(quota_t)
fs_set_xattr_fs_quota(quota_t)
fs_getattr_xattr_fs(quota_t)
fs_remount_xattr_fs(quota_t)
fs_search_auto_mountpoints(quota_t)
storage_raw_read_fixed_disk(quota_t)
term_dontaudit_use_console(quota_t)
domain_use_wide_inherit_fd(quota_t)
files_list_all_dirs(quota_t)
files_read_all_files(quota_t)
files_read_all_symlinks(quota_t)
files_getattr_all_pipes(quota_t)
files_getattr_all_sockets(quota_t)
# Read /etc/mtab.
files_read_etc_runtime_files(quota_t)
init_use_fd(quota_t)
init_use_script_pty(quota_t)
libs_use_ld_so(quota_t)
libs_use_shared_libs(quota_t)
logging_send_syslog_msg(quota_t)
userdom_dontaudit_use_unpriv_user_fd(quota_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(quota_t)
term_dontaudit_use_generic_pty(quota_t)
files_dontaudit_read_root_file(quota_t)
')
optional_policy(`rhgb.te',`
rhgb_domain(quota_t)
')
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(quota_t)
')
optional_policy(`udev.te', `
udev_read_db(quota_t)
')
ifdef(`TODO',`
# quotacheck creates new quota_db_t files
file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
allow quota_t file_t:file quotaon;
allow quota_t proc_t:file getattr;
') dnl end TODO

View File

@ -214,6 +214,42 @@ interface(`fs_relabelfrom_xattr_fs',`
allow $1 fs_t:filesystem relabelfrom; allow $1 fs_t:filesystem relabelfrom;
') ')
########################################
## <summary>
## Get the filesystem quotas of a filesystem
## with extended attributes.
## </summary>
## <param name="domain">
## The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_get_xattr_fs_quota',`
gen_require(`
type fs_t;
class filesystem quotaget;
')
allow $1 fs_t:filesystem quotaget;
')
########################################
## <summary>
## Set the filesystem quotas of a filesystem
## with extended attributes.
## </summary>
## <param name="domain">
## The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_set_xattr_fs_quota',`
gen_require(`
type fs_t;
class filesystem quotamod;
')
allow $1 fs_t:filesystem quotamod;
')
######################################## ########################################
## <summary> ## <summary>
## Mount an automount pseudo filesystem. ## Mount an automount pseudo filesystem.

View File

@ -140,8 +140,29 @@ interface(`files_dontaudit_getattr_all_dirs',`
') ')
######################################## ########################################
## <summary>
## List the contents of all directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
# #
# files_getattr_all_files(domain) interface(`files_list_all_dirs',`
gen_require(`
attribute file_type;
class dir r_dir_perms;
')
allow $1 file_type:dir r_dir_perms;
')
########################################
## <summary>
## Get the attributes of all files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
# #
interface(`files_getattr_all_files',` interface(`files_getattr_all_files',`
gen_require(` gen_require(`
@ -172,6 +193,29 @@ interface(`files_dontaudit_getattr_all_files',`
dontaudit $1 file_type:file getattr; dontaudit $1 file_type:file getattr;
') ')
########################################
## <summary>
## Read all files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_read_all_files',`
gen_require(`
attribute file_type;
class dir search;
class file r_file_perms;
')
allow $1 file_type:dir search;
allow $1 file_type:file r_file_perms;
optional_policy(`authlogin.te',`
auth_read_shadow($1)
')
')
######################################## ########################################
## <summary> ## <summary>
## Get the attributes of all symbolic links. ## Get the attributes of all symbolic links.
@ -209,6 +253,25 @@ interface(`files_dontaudit_getattr_all_symlinks',`
dontaudit $1 file_type:lnk_file getattr; dontaudit $1 file_type:lnk_file getattr;
') ')
########################################
## <summary>
## Read all symbolic links.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_read_all_symlinks',`
gen_require(`
attribute file_type;
class dir search;
class lnk_file { getattr read };
')
allow $1 file_type:dir search;
allow $1 file_type:lnk_file { getattr read };
')
######################################## ########################################
## <summary> ## <summary>
## Get the attributes of all named pipes. ## Get the attributes of all named pipes.

View File

@ -410,6 +410,10 @@ optional_policy(`raid.te',`
raid_manage_mdadm_pid(initrc_t) raid_manage_mdadm_pid(initrc_t)
') ')
optional_policy(`quota.te',`
quota_manage_flags(initrc_t)
')
optional_policy(`rhgb.te',` optional_policy(`rhgb.te',`
corecmd_shell_entry_type(initrc_t) corecmd_shell_entry_type(initrc_t)
') ')

View File

@ -265,6 +265,10 @@ template(`base_user_template',`
pcmcia_read_pid($1_t) pcmcia_read_pid($1_t)
') ')
optional_policy(`quota.te',`
quota_dontaudit_getattr_db($1_t)
')
optional_policy(`rpm.te',` optional_policy(`rpm.te',`
files_getattr_var_lib_dir($1_t) files_getattr_var_lib_dir($1_t)
files_search_var_lib($1_t) files_search_var_lib($1_t)

View File

@ -175,6 +175,10 @@ ifdef(`targeted_policy',`
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal) pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`quota.te',`
quota_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`rpm.te',` optional_policy(`rpm.te',`
rpm_run(sysadm_t,sysadm_r,admin_terminal) rpm_run(sysadm_t,sysadm_r,admin_terminal)
') ')