trunk: 5 patches from dan.

2009-04-07 14:09:43 +00:00 · 2009-04-07 14:09:43 +00:00 · 153fe24bdc
commit 153fe24bdc
parent 09125ae411
11 changed files with 148 additions and 1 deletions
--- a/2
+++ b/2
@ -12,8 +12,10 @@
 - Remove node definitions and change node usage to generic nodes.
 - Add kernel_service access vectors, from Stephen Smalley.
 - Added modules:
+	git (Dan Walsh)
 	gues (Dan Walsh)
 	logadm (Dan Walsh)
+	webadm (Dan Walsh)
 	xguest (Dan Walsh)
 	zosremote (Dan Walsh)

--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@ -187,5 +187,5 @@ optional_policy(`
 ')

 optional_policy(`
-	squid_signal(logrotate_t)
+	squid_domtrans(logrotate_t)
 ')
--- a/policy/modules/roles/webadm.fc
+++ b/policy/modules/roles/webadm.fc
@ -0,0 +1 @@
+# No webadm file contexts.
--- a/policy/modules/roles/webadm.if
+++ b/policy/modules/roles/webadm.if
@ -0,0 +1,50 @@
+## <summary>Web administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the web administrator role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`webadm_role_change',`
+	gen_require(`
+		role webadm_r;
+	')
+
+	allow $1 webadm_r;
+')
+
+########################################
+## <summary>
+##	Change from the web administrator role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the web administrator role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`webadm_role_change_to',`
+	gen_require(`
+		role webadm_r;
+	')
+
+	allow webadm_r $1;
+')
--- a/policy/modules/roles/webadm.te
+++ b/policy/modules/roles/webadm.te
@ -0,0 +1,56 @@
+
+policy_module(webadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow webadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(webadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow webadm to read files in users home directories
+## </p>   
+## </desc>
+gen_tunable(webadm_read_user_files, false)
+
+role webadm_r;
+
+userdom_base_user_template(webadm)
+
+########################################
+#
+# webadmin local policy
+#
+
+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+files_dontaudit_search_all_dirs(webadm_t)
+files_manage_generic_locks(webadm_t)
+files_list_var(webadm_t)
+
+selinux_get_enforce_mode(webadm_t)
+seutil_domtrans_setfiles(webadm_t)
+
+logging_send_syslog_msg(webadm_t)
+
+userdom_dontaudit_search_user_home_dirs(webadm_t)
+
+#apache_admin(webadm_t, webadm_r)
+
+tunable_policy(`webadm_manage_user_files',`
+	userdom_manage_user_home_content_files(webadm_t)
+	userdom_read_user_tmp_files(webadm_t)
+	userdom_write_user_tmp_files(webadm_t)
+')
+
+tunable_policy(`webadm_read_user_files',`
+	userdom_read_user_home_content_files(webadm_t)
+	userdom_read_user_tmp_files(webadm_t)
+')
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@ -0,0 +1,3 @@
+/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
+/var/lib/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@ -0,0 +1 @@
+## <summary>GIT revision control system</summary>
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@ -0,0 +1,9 @@
+
+policy_module(git, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(git)
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@ -49,6 +49,9 @@ storage_manage_fixed_disk(mdadm_t)
 storage_dev_filetrans_fixed_disk(mdadm_t)
 storage_read_scsi_generic(mdadm_t)

+mls_file_read_all_levels(mdadm_t)
+mls_file_write_all_levels(mdadm_t)
+
 term_dontaudit_list_ptys(mdadm_t)

 # Helper program access
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@ -18,6 +18,24 @@ interface(`udev_domtrans',`
 	domtrans_pattern($1, udev_exec_t, udev_t)
 ')

+########################################
+## <summary>
+##	Execute udev in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_exec',`
+	gen_require(`
+		type udev_exec_t;
+	')
+
+	can_exec($1, udev_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute a udev helper in the udev domain.
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@ -181,6 +181,10 @@ ifdef(`distro_redhat',`

 	# for arping used for static IP addresses on PCMCIA ethernet
 	netutils_domtrans(udev_t)
+
+	optional_policy(`
+		unconfined_domain(udev_t)
+	')
 ')

 optional_policy(`
				`@ -0,0 +1 @@`
				`## <summary>GIT revision control system</summary>`