add amanda

This commit is contained in:
Chris PeBenito 2005-10-22 19:58:58 +00:00
parent 239db5e20c
commit 10b1f324d5
8 changed files with 146 additions and 3 deletions

View File

@ -2,6 +2,7 @@
build phase instead of during the generation phase. build phase instead of during the generation phase.
- DISTRO=redhat now implies DIRECT_INITRC=y. - DISTRO=redhat now implies DIRECT_INITRC=y.
- Added policies: - Added policies:
amanda
canna canna
cyrus cyrus
dovecot dovecot

View File

@ -1393,6 +1393,23 @@ interface(`kernel_rw_unlabeled_dir',`
allow $1 unlabeled_t:dir rw_dir_perms; allow $1 unlabeled_t:dir rw_dir_perms;
') ')
########################################
## <summary>
## Do not audit attempts by caller to get the
## attributes of an unlabeled file.
## </summary>
## <param name="domain">
## The process type not to audit.
## </param>
#
interface(`kernel_dontaudit_getattr_unlabeled_file',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:file getattr;
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts by caller to get attributes for ## Do not audit attempts by caller to get attributes for
@ -1408,7 +1425,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
class blk_file getattr; class blk_file getattr;
') ')
allow $1 unlabeled_t:blk_file getattr; dontaudit $1 unlabeled_t:blk_file getattr;
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(bind,1.0) policy_module(bind,0.9)
######################################## ########################################
# #

View File

@ -71,6 +71,8 @@ corenet_udp_bind_all_nodes(inetd_t)
corenet_tcp_connect_all_ports(inetd_t) corenet_tcp_connect_all_ports(inetd_t)
# listen on service ports: # listen on service ports:
corenet_tcp_bind_amanda_port(inetd_t)
corenet_udp_bind_amanda_port(inetd_t)
corenet_tcp_bind_auth_port(inetd_t) corenet_tcp_bind_auth_port(inetd_t)
#corenet_udp_bind_comsat_port(inetd_t) #corenet_udp_bind_comsat_port(inetd_t)
corenet_tcp_bind_dbskkd_port(inetd_t) corenet_tcp_bind_dbskkd_port(inetd_t)
@ -123,6 +125,10 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(inetd_t) files_dontaudit_read_root_file(inetd_t)
') ')
optional_policy(`amanda.te',`
amanda_search_lib(inetd_t)
')
optional_policy(`mount.te',` optional_policy(`mount.te',`
mount_send_nfs_client_request(inetd_t) mount_send_nfs_client_request(inetd_t)
') ')

View File

@ -1,5 +1,5 @@
policy_module(networkmanager,1.0) policy_module(networkmanager,0.9)
######################################## ########################################
# #

View File

@ -616,6 +616,40 @@ interface(`files_dontaudit_getattr_non_security_sockets',`
dontaudit $1 { file_type -security_file_type }:sock_file getattr; dontaudit $1 { file_type -security_file_type }:sock_file getattr;
') ')
########################################
## <summary>
## Read all block nodes with file types.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_read_all_blk_nodes',`
gen_require(`
attribute file_type;
')
allow $1 file_type:dir search;
allow $1 file_type:blk_file { getattr read };
')
########################################
## <summary>
## Read all character nodes with file types.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_read_all_chr_nodes',`
gen_require(`
attribute file_type;
')
allow $1 file_type:dir search;
allow $1 file_type:chr_file { getattr read };
')
######################################## ########################################
## <summary> ## <summary>
## Relabel all files on the filesystem, except ## Relabel all files on the filesystem, except

View File

@ -1801,6 +1801,87 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',`
dontaudit $1 sysadm_home_dir_t:dir r_dir_perms; dontaudit $1 sysadm_home_dir_t:dir r_dir_perms;
') ')
########################################
## <summary>
## Create objects in sysadm home directories
## with automatic file type transition.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
## <param name="object_class" optional="true">
## The class of the object to be created.
## If not specified, file is used.
## </param>
#
interface(`userdom_create_sysadm_home',`
ifdef(`targeted_policy',`
gen_require(`
type user_home_dir_t, user_home_t;
')
allow $1 user_home_dir_t:dir rw_dir_perms;
ifelse(`$2',`',`
ifelse(`$3',`',`
type_transition $1 user_home_dir_t:file user_home_t;
',`
type_transition $1 user_home_dir_t:$3 user_home_t;
')
',`
ifelse(`$3',`',`
type_transition $1 user_home_dir_t:file $2;
',`
type_transition $1 user_home_dir_t:$3 $2;
')
')
',`
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
')
allow $1 sysadm_home_dir_t:dir rw_dir_perms;
ifelse(`$2',`',`
ifelse(`$3',`',`
type_transition $1 sysadm_home_dir_t:file sysadm_home_t;
',`
type_transition $1 sysadm_home_dir_t:$3 sysadm_home_t;
')
',`
ifelse(`$3',`',`
type_transition $1 sysadm_home_dir_t:file $2;
',`
type_transition $1 sysadm_home_dir_t:$3 $2;
')
')
')
')
########################################
## <summary>
## Search the sysadm users home sub directories.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_search_sysadm_home_subdirs',`
ifdef(`targeted_policy',`
gen_require(`
type user_home_dir_t, user_home_t;
')
allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
',`
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
')
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
')
')
######################################## ########################################
## <summary> ## <summary>
## Read files in the sysadm users home directory. ## Read files in the sysadm users home directory.

View File

@ -121,6 +121,10 @@ ifdef(`targeted_policy',`
domain_ptrace_all_domains(sysadm_t) domain_ptrace_all_domains(sysadm_t)
') ')
optional_policy(`amanda.te',`
amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`apache.te',` optional_policy(`apache.te',`
apache_run_helper(sysadm_t,sysadm_r,admin_terminal) apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
#apache_run_all_scripts(sysadm_t,sysadm_r) #apache_run_all_scripts(sysadm_t,sysadm_r)