trunk: 5 patches from dan.
This commit is contained in:
parent
09125ae411
commit
153fe24bdc
@ -12,8 +12,10 @@
|
||||
- Remove node definitions and change node usage to generic nodes.
|
||||
- Add kernel_service access vectors, from Stephen Smalley.
|
||||
- Added modules:
|
||||
git (Dan Walsh)
|
||||
gues (Dan Walsh)
|
||||
logadm (Dan Walsh)
|
||||
webadm (Dan Walsh)
|
||||
xguest (Dan Walsh)
|
||||
zosremote (Dan Walsh)
|
||||
|
||||
|
@ -187,5 +187,5 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
squid_signal(logrotate_t)
|
||||
squid_domtrans(logrotate_t)
|
||||
')
|
||||
|
1
policy/modules/roles/webadm.fc
Normal file
1
policy/modules/roles/webadm.fc
Normal file
@ -0,0 +1 @@
|
||||
# No webadm file contexts.
|
50
policy/modules/roles/webadm.if
Normal file
50
policy/modules/roles/webadm.if
Normal file
@ -0,0 +1,50 @@
|
||||
## <summary>Web administrator role</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Change to the web administrator role.
|
||||
## </summary>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`webadm_role_change',`
|
||||
gen_require(`
|
||||
role webadm_r;
|
||||
')
|
||||
|
||||
allow $1 webadm_r;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Change from the web administrator role.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Change from the web administrator role to
|
||||
## the specified role.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is an interface to support third party modules
|
||||
## and its use is not allowed in upstream reference
|
||||
## policy.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`webadm_role_change_to',`
|
||||
gen_require(`
|
||||
role webadm_r;
|
||||
')
|
||||
|
||||
allow webadm_r $1;
|
||||
')
|
56
policy/modules/roles/webadm.te
Normal file
56
policy/modules/roles/webadm.te
Normal file
@ -0,0 +1,56 @@
|
||||
|
||||
policy_module(webadm, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow webadm to manage files in users home directories
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(webadm_manage_user_files, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow webadm to read files in users home directories
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(webadm_read_user_files, false)
|
||||
|
||||
role webadm_r;
|
||||
|
||||
userdom_base_user_template(webadm)
|
||||
|
||||
########################################
|
||||
#
|
||||
# webadmin local policy
|
||||
#
|
||||
|
||||
allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
|
||||
|
||||
files_dontaudit_search_all_dirs(webadm_t)
|
||||
files_manage_generic_locks(webadm_t)
|
||||
files_list_var(webadm_t)
|
||||
|
||||
selinux_get_enforce_mode(webadm_t)
|
||||
seutil_domtrans_setfiles(webadm_t)
|
||||
|
||||
logging_send_syslog_msg(webadm_t)
|
||||
|
||||
userdom_dontaudit_search_user_home_dirs(webadm_t)
|
||||
|
||||
#apache_admin(webadm_t, webadm_r)
|
||||
|
||||
tunable_policy(`webadm_manage_user_files',`
|
||||
userdom_manage_user_home_content_files(webadm_t)
|
||||
userdom_read_user_tmp_files(webadm_t)
|
||||
userdom_write_user_tmp_files(webadm_t)
|
||||
')
|
||||
|
||||
tunable_policy(`webadm_read_user_files',`
|
||||
userdom_read_user_home_content_files(webadm_t)
|
||||
userdom_read_user_tmp_files(webadm_t)
|
||||
')
|
3
policy/modules/services/git.fc
Normal file
3
policy/modules/services/git.fc
Normal file
@ -0,0 +1,3 @@
|
||||
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
|
||||
/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
|
||||
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
|
1
policy/modules/services/git.if
Normal file
1
policy/modules/services/git.if
Normal file
@ -0,0 +1 @@
|
||||
## <summary>GIT revision control system</summary>
|
9
policy/modules/services/git.te
Normal file
9
policy/modules/services/git.te
Normal file
@ -0,0 +1,9 @@
|
||||
|
||||
policy_module(git, 1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
apache_content_template(git)
|
@ -49,6 +49,9 @@ storage_manage_fixed_disk(mdadm_t)
|
||||
storage_dev_filetrans_fixed_disk(mdadm_t)
|
||||
storage_read_scsi_generic(mdadm_t)
|
||||
|
||||
mls_file_read_all_levels(mdadm_t)
|
||||
mls_file_write_all_levels(mdadm_t)
|
||||
|
||||
term_dontaudit_list_ptys(mdadm_t)
|
||||
|
||||
# Helper program access
|
||||
|
@ -18,6 +18,24 @@ interface(`udev_domtrans',`
|
||||
domtrans_pattern($1, udev_exec_t, udev_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute udev in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`udev_exec',`
|
||||
gen_require(`
|
||||
type udev_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1, udev_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a udev helper in the udev domain.
|
||||
|
@ -181,6 +181,10 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# for arping used for static IP addresses on PCMCIA ethernet
|
||||
netutils_domtrans(udev_t)
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domain(udev_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
Loading…
Reference in New Issue
Block a user