add certwatch
This commit is contained in:
Chris PeBenito
parent
0a77288692
commit
2bcdbd8ca3
|
|
@ -2,6 +2,7 @@
|
|||
- Change initrc_var_run_t interface noun from script_pid to utmp,
|
||||
for greater clarity.
|
||||
- Added modules:
|
||||
certwatch
|
||||
portage
|
||||
userhelper
|
||||
usernetctl
|
||||
|
|
|
|||
|
|
@ -566,6 +566,25 @@ interface(`apache_list_modules',`
|
|||
allow $1 httpd_modules_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to execute
|
||||
## apache modules.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_exec_modules',`
|
||||
gen_require(`
|
||||
type httpd_modules_t;
|
||||
')
|
||||
|
||||
allow $1 httpd_modules_t:dir r_dir_perms;
|
||||
allow $1 httpd_modules_t:lnk_file r_file_perms;
|
||||
can_exec($1,httpd_modules_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
/usr/bin/certwatch -- gen_context(system_u:object_r:certwatch_exec_t,s0)
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
## <summary>Digital Certificate Tracking</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Domain transition to certwatch.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`certwatch_domtrans',`
|
||||
gen_require(`
|
||||
type certwatch_exec_t, certwatch_t;
|
||||
')
|
||||
|
||||
files_search_usr($1)
|
||||
corecmd_search_sbin($1)
|
||||
domain_auto_trans($1,certwatch_exec_t,certwatch_t)
|
||||
|
||||
allow $1 certwatch_t:fd use;
|
||||
allow certwatch_t $1:fd use;
|
||||
allow certwatch_t $1:fifo_file rw_file_perms;
|
||||
allow certwatch_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute certwatch in the certwatch domain, and
|
||||
## allow the specified role the certwatch domain,
|
||||
## and use the caller's terminal. Has a sigchld
|
||||
## backchannel.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the certwatch domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the certwatch domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`certwatach_run',`
|
||||
gen_require(`
|
||||
type certwatch_t;
|
||||
')
|
||||
|
||||
certwatch_domtrans($1)
|
||||
role $2 types certwatch_t;
|
||||
allow certwatch_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
|
||||
policy_module(certwatch,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type certwatch_t;
|
||||
type certwatch_exec_t;
|
||||
domain_type(certwatch_t)
|
||||
domain_entry_file(certwatch_t,certwatch_exec_t)
|
||||
role system_r types certwatch_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
files_read_etc_files(certwatch_t)
|
||||
|
||||
libs_use_ld_so(certwatch_t)
|
||||
libs_use_shared_libs(certwatch_t)
|
||||
|
||||
logging_send_syslog_msg(certwatch_t)
|
||||
|
||||
miscfiles_read_certs(certwatch_t)
|
||||
miscfiles_read_localization(certwatch_t)
|
||||
|
||||
apache_exec_modules(certwatch_t)
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_system_entry(certwatch_t,certwatch_exec_t)
|
||||
')
|
||||
|
|
@ -187,6 +187,10 @@ ifdef(`targeted_policy',`
|
|||
clock_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`certwatch',`
|
||||
certwatach_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`ddcprobe',`
|
||||
ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
|
|
|||
Loading…
Reference in New Issue