add amanda

2005-10-22 19:58:58 +00:00 · 2005-10-22 19:58:58 +00:00 · 10b1f324d5
commit 10b1f324d5
parent 239db5e20c
8 changed files with 146 additions and 3 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -2,6 +2,7 @@
  build phase instead of during the generation phase.  
 - DISTRO=redhat now implies DIRECT_INITRC=y.
 - Added policies:
 	amanda
 	canna
 	cyrus
 	dovecot
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@ -1393,6 +1393,23 @@ interface(`kernel_rw_unlabeled_dir',`
 	allow $1 unlabeled_t:dir rw_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to get the
 ##	attributes of an unlabeled file.
 ## </summary>
 ## <param name="domain">
 ##	The process type not to audit.
 ## </param>
 #
 interface(`kernel_dontaudit_getattr_unlabeled_file',`
 	gen_require(`
 		type unlabeled_t;
 	')
 	dontaudit $1 unlabeled_t:file getattr;
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to get attributes for
@ -1408,7 +1425,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
 		class blk_file getattr;
 	')
-	allow $1 unlabeled_t:blk_file getattr;
+	dontaudit $1 unlabeled_t:blk_file getattr;
 ')
 ########################################
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@ -1,5 +1,5 @@
-policy_module(bind,1.0)
+policy_module(bind,0.9)
 ########################################
 #
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@ -71,6 +71,8 @@ corenet_udp_bind_all_nodes(inetd_t)
 corenet_tcp_connect_all_ports(inetd_t)
 # listen on service ports:
 corenet_tcp_bind_amanda_port(inetd_t)
 corenet_udp_bind_amanda_port(inetd_t)
 corenet_tcp_bind_auth_port(inetd_t)
 #corenet_udp_bind_comsat_port(inetd_t)
 corenet_tcp_bind_dbskkd_port(inetd_t)
@ -123,6 +125,10 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(inetd_t)
 ')
 optional_policy(`amanda.te',`
 	amanda_search_lib(inetd_t)
 ')
 optional_policy(`mount.te',`
 	mount_send_nfs_client_request(inetd_t)
 ')
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@ -1,5 +1,5 @@
-policy_module(networkmanager,1.0)
+policy_module(networkmanager,0.9)
 ########################################
 #
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -616,6 +616,40 @@ interface(`files_dontaudit_getattr_non_security_sockets',`
 	dontaudit $1 { file_type -security_file_type }:sock_file getattr;
 ')
 ########################################
 ## <summary>
 ##	Read all block nodes with file types.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`files_read_all_blk_nodes',`
 	gen_require(`
 		attribute file_type;
 	')
 	allow $1 file_type:dir search;
 	allow $1 file_type:blk_file { getattr read };
 ')
 ########################################
 ## <summary>
 ##	Read all character nodes with file types.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`files_read_all_chr_nodes',`
 	gen_require(`
 		attribute file_type;
 	')
 	allow $1 file_type:dir search;
 	allow $1 file_type:chr_file { getattr read };
 ')
 ########################################
 ## <summary>
 ##	Relabel all files on the filesystem, except
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -1801,6 +1801,87 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',`
 	dontaudit $1 sysadm_home_dir_t:dir r_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Create objects in sysadm home directories
 ##	with automatic file type transition.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 ## <param name="object_class" optional="true">
 ##	The class of the object to be created.
 ##	If not specified, file is used.
 ## </param>
 #
 interface(`userdom_create_sysadm_home',`
 	ifdef(`targeted_policy',`
 		gen_require(`
 			type user_home_dir_t, user_home_t;
 		')
 		allow $1 user_home_dir_t:dir rw_dir_perms;
 		ifelse(`$2',`',`
 			ifelse(`$3',`',`
 				type_transition $1 user_home_dir_t:file user_home_t;
 			',`
 				type_transition $1 user_home_dir_t:$3 user_home_t;
 			')
 		',`
 			ifelse(`$3',`',`
 				type_transition $1 user_home_dir_t:file $2;
 			',`
 				type_transition $1 user_home_dir_t:$3 $2;
 			')
 		')
 	',`
 		gen_require(`
 			type sysadm_home_dir_t, sysadm_home_t;
 		')
 		allow $1 sysadm_home_dir_t:dir rw_dir_perms;
 		ifelse(`$2',`',`
 			ifelse(`$3',`',`
 				type_transition $1 sysadm_home_dir_t:file sysadm_home_t;
 			',`
 				type_transition $1 sysadm_home_dir_t:$3 sysadm_home_t;
 			')
 		',`
 			ifelse(`$3',`',`
 				type_transition $1 sysadm_home_dir_t:file $2;
 			',`
 				type_transition $1 sysadm_home_dir_t:$3 $2;
 			')
 		')
 	')
 ')
 ########################################
 ## <summary>
 ##	Search the sysadm users home sub directories.
 ## </summary>
 ## <param name="domain">
 ##	Domain to not audit.
 ## </param>
 #
 interface(`userdom_search_sysadm_home_subdirs',`
 	ifdef(`targeted_policy',`
 		gen_require(`
 			type user_home_dir_t, user_home_t;
 		')
 		allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
 	',`
 		gen_require(`
 			type sysadm_home_dir_t, sysadm_home_t;
 		')
 		allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
 	')
 ')
 ########################################
 ## <summary>
 ##	Read files in the sysadm users home directory.
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@ -121,6 +121,10 @@ ifdef(`targeted_policy',`
 		domain_ptrace_all_domains(sysadm_t)
 	')
 	optional_policy(`amanda.te',`
 		amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
 	')
 	optional_policy(`apache.te',`
 		apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
 		#apache_run_all_scripts(sysadm_t,sysadm_r)