add amanda
This commit is contained in:
parent
239db5e20c
commit
10b1f324d5
@ -2,6 +2,7 @@
|
|||||||
build phase instead of during the generation phase.
|
build phase instead of during the generation phase.
|
||||||
- DISTRO=redhat now implies DIRECT_INITRC=y.
|
- DISTRO=redhat now implies DIRECT_INITRC=y.
|
||||||
- Added policies:
|
- Added policies:
|
||||||
|
amanda
|
||||||
canna
|
canna
|
||||||
cyrus
|
cyrus
|
||||||
dovecot
|
dovecot
|
||||||
|
@ -1393,6 +1393,23 @@ interface(`kernel_rw_unlabeled_dir',`
|
|||||||
allow $1 unlabeled_t:dir rw_dir_perms;
|
allow $1 unlabeled_t:dir rw_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts by caller to get the
|
||||||
|
## attributes of an unlabeled file.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The process type not to audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_dontaudit_getattr_unlabeled_file',`
|
||||||
|
gen_require(`
|
||||||
|
type unlabeled_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 unlabeled_t:file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts by caller to get attributes for
|
## Do not audit attempts by caller to get attributes for
|
||||||
@ -1408,7 +1425,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
|
|||||||
class blk_file getattr;
|
class blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 unlabeled_t:blk_file getattr;
|
dontaudit $1 unlabeled_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(bind,1.0)
|
policy_module(bind,0.9)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -71,6 +71,8 @@ corenet_udp_bind_all_nodes(inetd_t)
|
|||||||
corenet_tcp_connect_all_ports(inetd_t)
|
corenet_tcp_connect_all_ports(inetd_t)
|
||||||
|
|
||||||
# listen on service ports:
|
# listen on service ports:
|
||||||
|
corenet_tcp_bind_amanda_port(inetd_t)
|
||||||
|
corenet_udp_bind_amanda_port(inetd_t)
|
||||||
corenet_tcp_bind_auth_port(inetd_t)
|
corenet_tcp_bind_auth_port(inetd_t)
|
||||||
#corenet_udp_bind_comsat_port(inetd_t)
|
#corenet_udp_bind_comsat_port(inetd_t)
|
||||||
corenet_tcp_bind_dbskkd_port(inetd_t)
|
corenet_tcp_bind_dbskkd_port(inetd_t)
|
||||||
@ -123,6 +125,10 @@ ifdef(`targeted_policy', `
|
|||||||
files_dontaudit_read_root_file(inetd_t)
|
files_dontaudit_read_root_file(inetd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`amanda.te',`
|
||||||
|
amanda_search_lib(inetd_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`mount.te',`
|
optional_policy(`mount.te',`
|
||||||
mount_send_nfs_client_request(inetd_t)
|
mount_send_nfs_client_request(inetd_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(networkmanager,1.0)
|
policy_module(networkmanager,0.9)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -616,6 +616,40 @@ interface(`files_dontaudit_getattr_non_security_sockets',`
|
|||||||
dontaudit $1 { file_type -security_file_type }:sock_file getattr;
|
dontaudit $1 { file_type -security_file_type }:sock_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read all block nodes with file types.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_read_all_blk_nodes',`
|
||||||
|
gen_require(`
|
||||||
|
attribute file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 file_type:dir search;
|
||||||
|
allow $1 file_type:blk_file { getattr read };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read all character nodes with file types.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_read_all_chr_nodes',`
|
||||||
|
gen_require(`
|
||||||
|
attribute file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 file_type:dir search;
|
||||||
|
allow $1 file_type:chr_file { getattr read };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Relabel all files on the filesystem, except
|
## Relabel all files on the filesystem, except
|
||||||
|
@ -1801,6 +1801,87 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',`
|
|||||||
dontaudit $1 sysadm_home_dir_t:dir r_dir_perms;
|
dontaudit $1 sysadm_home_dir_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create objects in sysadm home directories
|
||||||
|
## with automatic file type transition.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
## <param name="object_class" optional="true">
|
||||||
|
## The class of the object to be created.
|
||||||
|
## If not specified, file is used.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_create_sysadm_home',`
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
gen_require(`
|
||||||
|
type user_home_dir_t, user_home_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 user_home_dir_t:dir rw_dir_perms;
|
||||||
|
ifelse(`$2',`',`
|
||||||
|
ifelse(`$3',`',`
|
||||||
|
type_transition $1 user_home_dir_t:file user_home_t;
|
||||||
|
',`
|
||||||
|
type_transition $1 user_home_dir_t:$3 user_home_t;
|
||||||
|
')
|
||||||
|
',`
|
||||||
|
ifelse(`$3',`',`
|
||||||
|
type_transition $1 user_home_dir_t:file $2;
|
||||||
|
',`
|
||||||
|
type_transition $1 user_home_dir_t:$3 $2;
|
||||||
|
')
|
||||||
|
')
|
||||||
|
',`
|
||||||
|
gen_require(`
|
||||||
|
type sysadm_home_dir_t, sysadm_home_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 sysadm_home_dir_t:dir rw_dir_perms;
|
||||||
|
|
||||||
|
ifelse(`$2',`',`
|
||||||
|
ifelse(`$3',`',`
|
||||||
|
type_transition $1 sysadm_home_dir_t:file sysadm_home_t;
|
||||||
|
',`
|
||||||
|
type_transition $1 sysadm_home_dir_t:$3 sysadm_home_t;
|
||||||
|
')
|
||||||
|
',`
|
||||||
|
ifelse(`$3',`',`
|
||||||
|
type_transition $1 sysadm_home_dir_t:file $2;
|
||||||
|
',`
|
||||||
|
type_transition $1 sysadm_home_dir_t:$3 $2;
|
||||||
|
')
|
||||||
|
')
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Search the sysadm users home sub directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_search_sysadm_home_subdirs',`
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
gen_require(`
|
||||||
|
type user_home_dir_t, user_home_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
|
||||||
|
|
||||||
|
',`
|
||||||
|
gen_require(`
|
||||||
|
type sysadm_home_dir_t, sysadm_home_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read files in the sysadm users home directory.
|
## Read files in the sysadm users home directory.
|
||||||
|
@ -121,6 +121,10 @@ ifdef(`targeted_policy',`
|
|||||||
domain_ptrace_all_domains(sysadm_t)
|
domain_ptrace_all_domains(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`amanda.te',`
|
||||||
|
amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`apache.te',`
|
optional_policy(`apache.te',`
|
||||||
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
|
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
|
||||||
#apache_run_all_scripts(sysadm_t,sysadm_r)
|
#apache_run_all_scripts(sysadm_t,sysadm_r)
|
||||||
|
Loading…
Reference in New Issue
Block a user