add quota
This commit is contained in:
		
							parent
							
								
									5a3895a9f6
								
							
						
					
					
						commit
						052c953ae5
					
				| @ -8,6 +8,7 @@ | ||||
| 	* Added policies: | ||||
| 		acct | ||||
| 		mysql | ||||
| 		quota | ||||
| 		su | ||||
| 		sudo | ||||
| 		tmpreaper | ||||
|  | ||||
							
								
								
									
										14
									
								
								refpolicy/policy/modules/admin/quota.fc
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								refpolicy/policy/modules/admin/quota.fc
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,14 @@ | ||||
| 
 | ||||
| /sbin/quota(check|on)		--	context_template(system_u:object_r:quota_exec_t,s0) | ||||
| 
 | ||||
| ifdef(`distro_redhat',` | ||||
| /usr/sbin/convertquota		--	context_template(system_u:object_r:quota_exec_t,s0) | ||||
| ',` | ||||
| /sbin/convertquota		--	context_template(system_u:object_r:quota_exec_t,s0) | ||||
| ') | ||||
| 
 | ||||
| HOME_ROOT/a?quota\.(user|group)	--	context_template(system_u:object_r:quota_db_t,s0) | ||||
| 
 | ||||
| /var/a?quota\.(user|group)	--	context_template(system_u:object_r:quota_db_t,s0) | ||||
| 
 | ||||
| /var/lib/quota(/.*)?			context_template(system_u:object_r:quota_flag_t,s0) | ||||
							
								
								
									
										81
									
								
								refpolicy/policy/modules/admin/quota.if
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										81
									
								
								refpolicy/policy/modules/admin/quota.if
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,81 @@ | ||||
| ## <summary>File system quota management</summary> | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Execute quota management tools in the quota domain. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	The type of the process performing this action. | ||||
| ## </param> | ||||
| # | ||||
| interface(`quota_domtrans',` | ||||
| 	gen_require(` | ||||
| 		type quota_t, quota_exec_t; | ||||
| 		class process sigchld; | ||||
| 		class fd use; | ||||
| 		class fifo_file rw_file_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	domain_auto_trans($1,quota_exec_t,quota_t) | ||||
| 
 | ||||
| 	allow $1 quota_t:fd use; | ||||
| 	allow quota_t $1:fd use; | ||||
| 	allow quota_t $1:fifo_file rw_file_perms; | ||||
| 	allow quota_t $1:process sigchld; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Execute quota management tools in the quota domain, and | ||||
| ##	allow the specified role the quota domain. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	The type of the process performing this action. | ||||
| ## </param> | ||||
| ## <param name="role"> | ||||
| ##	The role to be allowed the quota domain. | ||||
| ## </param> | ||||
| ## <param name="terminal"> | ||||
| ##	The type of the terminal allow the quota domain to use. | ||||
| ## </param> | ||||
| # | ||||
| interface(`quota_run',` | ||||
| 	gen_require(` | ||||
| 		type quota_t; | ||||
| 		class chr_file rw_term_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	quota_domtrans($1) | ||||
| 	role $2 types quota_t; | ||||
| 	allow quota_t $3:chr_file rw_term_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Do not audit attempts to get the attributes | ||||
| ##	of filesystem quota data files. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain to not audit. | ||||
| ## </param> | ||||
| # | ||||
| interface(`quota_dontaudit_getattr_db',` | ||||
| 	gen_require(` | ||||
| 		type quota_db_t; | ||||
| 		class file getattr; | ||||
| 	') | ||||
| 
 | ||||
| 	dontaudit $1 quota_db_t:file getattr; | ||||
| ') | ||||
| 
 | ||||
| interface(`quota_manage_flags',` | ||||
| 	gen_require(` | ||||
| 		type quota_flag_t; | ||||
| 		class dir rw_dir_perms; | ||||
| 		class file create_file_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	files_search_var_lib($1) | ||||
| 	allow $1 quota_flag_t:dir rw_dir_perms; | ||||
| 	allow $1 quota_flag_t:file create_file_perms; | ||||
| ') | ||||
							
								
								
									
										89
									
								
								refpolicy/policy/modules/admin/quota.te
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										89
									
								
								refpolicy/policy/modules/admin/quota.te
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,89 @@ | ||||
| 
 | ||||
| policy_module(quota,1.0) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| type quota_t; | ||||
| type quota_exec_t; | ||||
| init_system_domain(quota_t,quota_exec_t) | ||||
| 
 | ||||
| type quota_db_t; | ||||
| files_type(quota_db_t) | ||||
| 
 | ||||
| type quota_flag_t; | ||||
| files_type(quota_flag_t) | ||||
| 
 | ||||
| allow quota_t self:capability { sys_admin dac_override }; | ||||
| dontaudit quota_t self:capability sys_tty_config; | ||||
| allow quota_t self:process signal_perms; | ||||
| 
 | ||||
| # for /quota.* | ||||
| allow quota_t quota_db_t:file { read write quotaon }; | ||||
| 
 | ||||
| kernel_list_proc(quota_t) | ||||
| kernel_read_proc_symlinks(quota_t) | ||||
| kernel_read_kernel_sysctl(quota_t) | ||||
| 
 | ||||
| dev_read_sysfs(quota_t) | ||||
| dev_getattr_all_blk_files(quota_t) | ||||
| dev_getattr_all_chr_files(quota_t) | ||||
| 
 | ||||
| fs_get_xattr_fs_quota(quota_t) | ||||
| fs_set_xattr_fs_quota(quota_t) | ||||
| fs_getattr_xattr_fs(quota_t) | ||||
| fs_remount_xattr_fs(quota_t) | ||||
| fs_search_auto_mountpoints(quota_t) | ||||
| 
 | ||||
| storage_raw_read_fixed_disk(quota_t) | ||||
| 
 | ||||
| term_dontaudit_use_console(quota_t) | ||||
| 
 | ||||
| domain_use_wide_inherit_fd(quota_t) | ||||
| 
 | ||||
| files_list_all_dirs(quota_t) | ||||
| files_read_all_files(quota_t) | ||||
| files_read_all_symlinks(quota_t) | ||||
| files_getattr_all_pipes(quota_t) | ||||
| files_getattr_all_sockets(quota_t) | ||||
| # Read /etc/mtab. | ||||
| files_read_etc_runtime_files(quota_t) | ||||
| 
 | ||||
| init_use_fd(quota_t) | ||||
| init_use_script_pty(quota_t) | ||||
| 
 | ||||
| libs_use_ld_so(quota_t) | ||||
| libs_use_shared_libs(quota_t) | ||||
| 
 | ||||
| logging_send_syslog_msg(quota_t) | ||||
| 
 | ||||
| userdom_dontaudit_use_unpriv_user_fd(quota_t) | ||||
| 
 | ||||
| ifdef(`targeted_policy',` | ||||
| 	term_dontaudit_use_unallocated_tty(quota_t) | ||||
| 	term_dontaudit_use_generic_pty(quota_t) | ||||
| 	files_dontaudit_read_root_file(quota_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`rhgb.te',` | ||||
| 	rhgb_domain(quota_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`selinuxutil.te',` | ||||
| 	seutil_sigchld_newrole(quota_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`udev.te', ` | ||||
| 	udev_read_db(quota_t) | ||||
| ') | ||||
| 
 | ||||
| ifdef(`TODO',` | ||||
| # quotacheck creates new quota_db_t files | ||||
| file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file) | ||||
| 
 | ||||
| allow quota_t file_t:file quotaon; | ||||
| 
 | ||||
| allow quota_t proc_t:file getattr; | ||||
| ') dnl end TODO | ||||
| @ -214,6 +214,42 @@ interface(`fs_relabelfrom_xattr_fs',` | ||||
| 	allow $1 fs_t:filesystem relabelfrom; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Get the filesystem quotas of a filesystem | ||||
| ##	with extended attributes. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	The type of the domain mounting the filesystem. | ||||
| ## </param> | ||||
| # | ||||
| interface(`fs_get_xattr_fs_quota',` | ||||
| 	gen_require(` | ||||
| 		type fs_t; | ||||
| 		class filesystem quotaget; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $1 fs_t:filesystem quotaget; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Set the filesystem quotas of a filesystem | ||||
| ##	with extended attributes. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	The type of the domain mounting the filesystem. | ||||
| ## </param> | ||||
| # | ||||
| interface(`fs_set_xattr_fs_quota',` | ||||
| 	gen_require(` | ||||
| 		type fs_t; | ||||
| 		class filesystem quotamod; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $1 fs_t:filesystem quotamod; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Mount an automount pseudo filesystem. | ||||
|  | ||||
| @ -140,8 +140,29 @@ interface(`files_dontaudit_getattr_all_dirs',` | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	List the contents of all directories. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| # files_getattr_all_files(domain) | ||||
| interface(`files_list_all_dirs',` | ||||
| 	gen_require(` | ||||
| 		attribute file_type; | ||||
| 		class dir r_dir_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $1 file_type:dir r_dir_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Get the attributes of all files. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| interface(`files_getattr_all_files',` | ||||
| 	gen_require(` | ||||
| @ -172,6 +193,29 @@ interface(`files_dontaudit_getattr_all_files',` | ||||
| 	dontaudit $1 file_type:file getattr; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Read all files. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| interface(`files_read_all_files',` | ||||
| 	gen_require(` | ||||
| 		attribute file_type; | ||||
| 		class dir search; | ||||
| 		class file r_file_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $1 file_type:dir search; | ||||
| 	allow $1 file_type:file r_file_perms; | ||||
| 
 | ||||
| 	optional_policy(`authlogin.te',` | ||||
| 		auth_read_shadow($1) | ||||
| 	') | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Get the attributes of all symbolic links. | ||||
| @ -209,6 +253,25 @@ interface(`files_dontaudit_getattr_all_symlinks',` | ||||
| 	dontaudit $1 file_type:lnk_file getattr; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Read all symbolic links. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| interface(`files_read_all_symlinks',` | ||||
| 	gen_require(` | ||||
| 		attribute file_type; | ||||
| 		class dir search; | ||||
| 		class lnk_file { getattr read }; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $1 file_type:dir search; | ||||
| 	allow $1 file_type:lnk_file { getattr read }; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Get the attributes of all named pipes. | ||||
|  | ||||
| @ -410,6 +410,10 @@ optional_policy(`raid.te',` | ||||
| 	raid_manage_mdadm_pid(initrc_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`quota.te',` | ||||
| 	quota_manage_flags(initrc_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`rhgb.te',` | ||||
| 	corecmd_shell_entry_type(initrc_t) | ||||
| ') | ||||
|  | ||||
| @ -265,6 +265,10 @@ template(`base_user_template',` | ||||
| 		pcmcia_read_pid($1_t) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`quota.te',` | ||||
| 		quota_dontaudit_getattr_db($1_t) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`rpm.te',` | ||||
| 		files_getattr_var_lib_dir($1_t) | ||||
| 		files_search_var_lib($1_t) | ||||
|  | ||||
| @ -175,6 +175,10 @@ ifdef(`targeted_policy',` | ||||
| 		pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`quota.te',` | ||||
| 		quota_run(sysadm_t,sysadm_r,admin_terminal) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`rpm.te',` | ||||
| 		rpm_run(sysadm_t,sysadm_r,admin_terminal) | ||||
| 	') | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user