add amanda
This commit is contained in:
parent
239db5e20c
commit
10b1f324d5
@ -2,6 +2,7 @@
|
||||
build phase instead of during the generation phase.
|
||||
- DISTRO=redhat now implies DIRECT_INITRC=y.
|
||||
- Added policies:
|
||||
amanda
|
||||
canna
|
||||
cyrus
|
||||
dovecot
|
||||
|
@ -1393,6 +1393,23 @@ interface(`kernel_rw_unlabeled_dir',`
|
||||
allow $1 unlabeled_t:dir rw_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to get the
|
||||
## attributes of an unlabeled file.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type not to audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_getattr_unlabeled_file',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
dontaudit $1 unlabeled_t:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to get attributes for
|
||||
@ -1408,7 +1425,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:blk_file getattr;
|
||||
dontaudit $1 unlabeled_t:blk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bind,1.0)
|
||||
policy_module(bind,0.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -71,6 +71,8 @@ corenet_udp_bind_all_nodes(inetd_t)
|
||||
corenet_tcp_connect_all_ports(inetd_t)
|
||||
|
||||
# listen on service ports:
|
||||
corenet_tcp_bind_amanda_port(inetd_t)
|
||||
corenet_udp_bind_amanda_port(inetd_t)
|
||||
corenet_tcp_bind_auth_port(inetd_t)
|
||||
#corenet_udp_bind_comsat_port(inetd_t)
|
||||
corenet_tcp_bind_dbskkd_port(inetd_t)
|
||||
@ -123,6 +125,10 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_file(inetd_t)
|
||||
')
|
||||
|
||||
optional_policy(`amanda.te',`
|
||||
amanda_search_lib(inetd_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(inetd_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(networkmanager,1.0)
|
||||
policy_module(networkmanager,0.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -616,6 +616,40 @@ interface(`files_dontaudit_getattr_non_security_sockets',`
|
||||
dontaudit $1 { file_type -security_file_type }:sock_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all block nodes with file types.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_all_blk_nodes',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir search;
|
||||
allow $1 file_type:blk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all character nodes with file types.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_all_chr_nodes',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir search;
|
||||
allow $1 file_type:chr_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel all files on the filesystem, except
|
||||
|
@ -1801,6 +1801,87 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',`
|
||||
dontaudit $1 sysadm_home_dir_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create objects in sysadm home directories
|
||||
## with automatic file type transition.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
## <param name="object_class" optional="true">
|
||||
## The class of the object to be created.
|
||||
## If not specified, file is used.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_create_sysadm_home',`
|
||||
ifdef(`targeted_policy',`
|
||||
gen_require(`
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
allow $1 user_home_dir_t:dir rw_dir_perms;
|
||||
ifelse(`$2',`',`
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 user_home_dir_t:file user_home_t;
|
||||
',`
|
||||
type_transition $1 user_home_dir_t:$3 user_home_t;
|
||||
')
|
||||
',`
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 user_home_dir_t:file $2;
|
||||
',`
|
||||
type_transition $1 user_home_dir_t:$3 $2;
|
||||
')
|
||||
')
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_home_dir_t, sysadm_home_t;
|
||||
')
|
||||
|
||||
allow $1 sysadm_home_dir_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$2',`',`
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 sysadm_home_dir_t:file sysadm_home_t;
|
||||
',`
|
||||
type_transition $1 sysadm_home_dir_t:$3 sysadm_home_t;
|
||||
')
|
||||
',`
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 sysadm_home_dir_t:file $2;
|
||||
',`
|
||||
type_transition $1 sysadm_home_dir_t:$3 $2;
|
||||
')
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the sysadm users home sub directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_search_sysadm_home_subdirs',`
|
||||
ifdef(`targeted_policy',`
|
||||
gen_require(`
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
|
||||
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_home_dir_t, sysadm_home_t;
|
||||
')
|
||||
|
||||
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in the sysadm users home directory.
|
||||
|
@ -121,6 +121,10 @@ ifdef(`targeted_policy',`
|
||||
domain_ptrace_all_domains(sysadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`amanda.te',`
|
||||
amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`apache.te',`
|
||||
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
|
||||
#apache_run_all_scripts(sysadm_t,sysadm_r)
|
||||
|
Loading…
Reference in New Issue
Block a user