dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs.

Disable transition from dbus_session_domain to telepathy for F14
Allow boinc_project to use shm
Allow certmonger to search through directories that contain certs
Allow fail2ban the DAC Override so it can read log files owned by non root users
This commit is contained in:
Dan Walsh 2010-10-07 09:06:56 -04:00
parent 039c65f92f
commit 3235a8bbe6
6 changed files with 39 additions and 2 deletions

View File

@ -152,6 +152,8 @@ allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem }; allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
dontaudit sandbox_x_domain self:process signal;
allow sandbox_x_domain self:shm create_shm_perms; allow sandbox_x_domain self:shm create_shm_perms;
allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };

View File

@ -29,7 +29,9 @@ template(`telepathy_domain_template',`
files_tmp_file(telepathy_$1_tmp_t) files_tmp_file(telepathy_$1_tmp_t)
ubac_constrained(telepathy_$1_tmp_t) ubac_constrained(telepathy_$1_tmp_t)
ifdef(`TODO',`
dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t) dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t)
')
') ')
####################################### #######################################

View File

@ -578,6 +578,27 @@ interface(`apache_delete_cache_files',`
delete_files_pattern($1, httpd_cache_t, httpd_cache_t) delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
') ')
########################################
## <summary>
## Allow the specified domain to search
## apache configuration dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_search_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
allow $1 httpd_config_t:dir search_dir_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Allow the specified domain to read ## Allow the specified domain to read

View File

@ -122,6 +122,7 @@ allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigs
allow boinc_project_t self:process { execmem execstack }; allow boinc_project_t self:process { execmem execstack };
allow boinc_project_t self:fifo_file rw_fifo_file_perms; allow boinc_project_t self:fifo_file rw_fifo_file_perms;
allow boinc_project_t self:sem create_sem_perms;
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)

View File

@ -58,6 +58,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t) sysnet_dns_name_resolve(certmonger_t)
userdom_search_user_home_content(certmonger_t)
optional_policy(`
apache_search_config(certmonger_t)
')
optional_policy(`
bind_search_cache(certmonger_t)
')
optional_policy(` optional_policy(`
dbus_system_bus_client(certmonger_t) dbus_system_bus_client(certmonger_t)
dbus_connect_system_bus(certmonger_t) dbus_connect_system_bus(certmonger_t)
@ -70,3 +80,4 @@ optional_policy(`
optional_policy(` optional_policy(`
pcscd_stream_connect(certmonger_t) pcscd_stream_connect(certmonger_t)
') ')

View File

@ -28,7 +28,7 @@ files_pid_file(fail2ban_var_run_t)
# fail2ban local policy # fail2ban local policy
# #
allow fail2ban_t self:capability { sys_tty_config }; allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
allow fail2ban_t self:process signal; allow fail2ban_t self:process signal;
allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };