trunk: 5 patches from dan.

This commit is contained in:
Chris PeBenito 2009-04-07 14:09:43 +00:00
parent 09125ae411
commit 153fe24bdc
11 changed files with 148 additions and 1 deletions

View File

@ -12,8 +12,10 @@
- Remove node definitions and change node usage to generic nodes.
- Add kernel_service access vectors, from Stephen Smalley.
- Added modules:
git (Dan Walsh)
gues (Dan Walsh)
logadm (Dan Walsh)
webadm (Dan Walsh)
xguest (Dan Walsh)
zosremote (Dan Walsh)

View File

@ -187,5 +187,5 @@ optional_policy(`
')
optional_policy(`
squid_signal(logrotate_t)
squid_domtrans(logrotate_t)
')

View File

@ -0,0 +1 @@
# No webadm file contexts.

View File

@ -0,0 +1,50 @@
## <summary>Web administrator role</summary>
########################################
## <summary>
## Change to the web administrator role.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`webadm_role_change',`
gen_require(`
role webadm_r;
')
allow $1 webadm_r;
')
########################################
## <summary>
## Change from the web administrator role.
## </summary>
## <desc>
## <p>
## Change from the web administrator role to
## the specified role.
## </p>
## <p>
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`webadm_role_change_to',`
gen_require(`
role webadm_r;
')
allow webadm_r $1;
')

View File

@ -0,0 +1,56 @@
policy_module(webadm, 1.0.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow webadm to manage files in users home directories
## </p>
## </desc>
gen_tunable(webadm_manage_user_files, false)
## <desc>
## <p>
## Allow webadm to read files in users home directories
## </p>
## </desc>
gen_tunable(webadm_read_user_files, false)
role webadm_r;
userdom_base_user_template(webadm)
########################################
#
# webadmin local policy
#
allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
files_dontaudit_search_all_dirs(webadm_t)
files_manage_generic_locks(webadm_t)
files_list_var(webadm_t)
selinux_get_enforce_mode(webadm_t)
seutil_domtrans_setfiles(webadm_t)
logging_send_syslog_msg(webadm_t)
userdom_dontaudit_search_user_home_dirs(webadm_t)
#apache_admin(webadm_t, webadm_r)
tunable_policy(`webadm_manage_user_files',`
userdom_manage_user_home_content_files(webadm_t)
userdom_read_user_tmp_files(webadm_t)
userdom_write_user_tmp_files(webadm_t)
')
tunable_policy(`webadm_read_user_files',`
userdom_read_user_home_content_files(webadm_t)
userdom_read_user_tmp_files(webadm_t)
')

View File

@ -0,0 +1,3 @@
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)

View File

@ -0,0 +1 @@
## <summary>GIT revision control system</summary>

View File

@ -0,0 +1,9 @@
policy_module(git, 1.0)
########################################
#
# Declarations
#
apache_content_template(git)

View File

@ -49,6 +49,9 @@ storage_manage_fixed_disk(mdadm_t)
storage_dev_filetrans_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
# Helper program access

View File

@ -18,6 +18,24 @@ interface(`udev_domtrans',`
domtrans_pattern($1, udev_exec_t, udev_t)
')
########################################
## <summary>
## Execute udev in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_exec',`
gen_require(`
type udev_exec_t;
')
can_exec($1, udev_exec_t)
')
########################################
## <summary>
## Execute a udev helper in the udev domain.

View File

@ -181,6 +181,10 @@ ifdef(`distro_redhat',`
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
optional_policy(`
unconfined_domain(udev_t)
')
')
optional_policy(`