trunk: 10 patches from dan.

This commit is contained in:
Chris PeBenito 2009-06-12 19:44:10 +00:00
parent 30425aa876
commit 45515556d4
19 changed files with 124 additions and 13 deletions

View File

@ -13,6 +13,9 @@
/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) /var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) /var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) /var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) /var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) /var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(dcc, 1.7.2) policy_module(dcc, 1.7.3)
######################################## ########################################
# #

View File

@ -2,5 +2,7 @@
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) /var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) /var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)

View File

@ -18,6 +18,25 @@ interface(`fail2ban_domtrans',`
domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
') ')
########################################
## <summary>
## Read fail2ban lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fail2ban_read_lib_files',`
gen_require(`
type fail2ban_var_lib_t;
')
files_search_var_lib($1)
allow $1 fail2ban_var_lib_t:file read_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Allow the specified domain to read fail2ban's log files. ## Allow the specified domain to read fail2ban's log files.
@ -105,7 +124,7 @@ interface(`fail2ban_admin',`
allow $1 fail2ban_t:process { ptrace signal_perms }; allow $1 fail2ban_t:process { ptrace signal_perms };
ps_process_pattern($1, fail2ban_t) ps_process_pattern($1, fail2ban_t)
init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
role_transition $2 fail2ban_initrc_exec_t system_r; role_transition $2 fail2ban_initrc_exec_t system_r;
allow $2 system_r; allow $2 system_r;

View File

@ -1,5 +1,5 @@
policy_module(fail2ban, 1.2.1) policy_module(fail2ban, 1.2.2)
######################################## ########################################
# #
@ -17,6 +17,9 @@ init_script_file(fail2ban_initrc_exec_t)
type fail2ban_log_t; type fail2ban_log_t;
logging_log_file(fail2ban_log_t) logging_log_file(fail2ban_log_t)
type fail2ban_var_lib_t;
files_type(fail2ban_var_lib_t)
# pid files # pid files
type fail2ban_var_run_t; type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t) files_pid_file(fail2ban_var_run_t)
@ -26,6 +29,7 @@ files_pid_file(fail2ban_var_run_t)
# fail2ban local policy # fail2ban local policy
# #
allow fail2ban_t self:capability { sys_tty_config };
allow fail2ban_t self:process signal; allow fail2ban_t self:process signal;
allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
@ -36,6 +40,10 @@ allow fail2ban_t fail2ban_log_t:dir setattr;
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file })
# pid file # pid file
manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)

View File

@ -1,5 +1,5 @@
policy_module(fetchmail, 1.8.1) policy_module(fetchmail, 1.8.2)
######################################## ########################################
# #
@ -9,6 +9,7 @@ policy_module(fetchmail, 1.8.1)
type fetchmail_t; type fetchmail_t;
type fetchmail_exec_t; type fetchmail_exec_t;
init_daemon_domain(fetchmail_t, fetchmail_exec_t) init_daemon_domain(fetchmail_t, fetchmail_exec_t)
application_executable_file(fetchmail_exec_t)
type fetchmail_var_run_t; type fetchmail_var_run_t;
files_pid_file(fetchmail_var_run_t) files_pid_file(fetchmail_var_run_t)

View File

@ -16,7 +16,7 @@ interface(`gpm_stream_connect',`
type gpmctl_t, gpm_t; type gpmctl_t, gpm_t;
') ')
allow $1 gpmctl_t:sock_file { getattr write }; allow $1 gpmctl_t:sock_file rw_sock_file_perms;
allow $1 gpm_t:unix_stream_socket connectto; allow $1 gpm_t:unix_stream_socket connectto;
') ')

View File

@ -1,5 +1,5 @@
policy_module(gpm, 1.6.0) policy_module(gpm, 1.6.1)
######################################## ########################################
# #
@ -54,6 +54,8 @@ dev_read_sysfs(gpm_t)
dev_rw_input_dev(gpm_t) dev_rw_input_dev(gpm_t)
dev_rw_mouse(gpm_t) dev_rw_mouse(gpm_t)
files_read_etc_files(gpm_t)
fs_getattr_all_fs(gpm_t) fs_getattr_all_fs(gpm_t)
fs_search_auto_mountpoints(gpm_t) fs_search_auto_mountpoints(gpm_t)

View File

@ -1,3 +1,4 @@
HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)

View File

@ -18,3 +18,30 @@ interface(`rlogin_domtrans',`
corecmd_search_bin($1) corecmd_search_bin($1)
domtrans_pattern($1, rlogind_exec_t, rlogind_t) domtrans_pattern($1, rlogind_exec_t, rlogind_t)
') ')
########################################
## <summary>
## read rlogin homedir content (.config)
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
template(`rlogin_read_home_content',`
gen_require(`
type rlogind_home_t;
')
userdom_search_user_home_dirs($1)
list_dirs_pattern($1, rlogind_home_t, rlogind_home_t)
read_files_pattern($1, rlogind_home_t, rlogind_home_t)
read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t)
')

View File

@ -1,5 +1,5 @@
policy_module(rlogin, 1.8.3) policy_module(rlogin, 1.8.4)
######################################## ########################################
# #
@ -14,6 +14,9 @@ role system_r types rlogind_t;
type rlogind_devpts_t; #, userpty_type; type rlogind_devpts_t; #, userpty_type;
term_login_pty(rlogind_devpts_t) term_login_pty(rlogind_devpts_t)
type rlogind_home_t;
userdom_user_home_content(rlogind_home_t)
type rlogind_tmp_t; type rlogind_tmp_t;
files_tmp_file(rlogind_tmp_t) files_tmp_file(rlogind_tmp_t)
@ -90,6 +93,8 @@ userdom_read_user_home_content_files(rlogind_t)
remotelogin_domtrans(rlogind_t) remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t) remotelogin_signal(rlogind_t)
rlogin_read_home_content(rlogind_t)
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs(rlogind_t) fs_list_nfs(rlogind_t)
fs_read_nfs_files(rlogind_t) fs_read_nfs_files(rlogind_t)

View File

@ -1,5 +1,5 @@
policy_module(rshd, 1.6.1) policy_module(rshd, 1.6.2)
######################################## ########################################
# #
@ -83,6 +83,10 @@ optional_policy(`
kerberos_manage_host_rcache(rshd_t) kerberos_manage_host_rcache(rshd_t)
') ')
optional_policy(`
rlogin_read_home_content(rshd_t)
')
optional_policy(` optional_policy(`
tcpd_wrapped_domain(rshd_t, rshd_exec_t) tcpd_wrapped_domain(rshd_t, rshd_exec_t)
') ')

View File

@ -1,5 +1,5 @@
policy_module(rsync, 1.8.3) policy_module(rsync, 1.8.4)
######################################## ########################################
# #
@ -119,6 +119,8 @@ optional_policy(`
tunable_policy(`rsync_export_all_ro',` tunable_policy(`rsync_export_all_ro',`
fs_read_noxattr_fs_files(rsync_t) fs_read_noxattr_fs_files(rsync_t)
fs_read_nfs_files(rsync_t)
fs_read_cifs_files(rsync_t)
auth_read_all_dirs_except_shadow(rsync_t) auth_read_all_dirs_except_shadow(rsync_t)
auth_read_all_files_except_shadow(rsync_t) auth_read_all_files_except_shadow(rsync_t)
auth_read_all_symlinks_except_shadow(rsync_t) auth_read_all_symlinks_except_shadow(rsync_t)

View File

@ -1,5 +1,23 @@
## <summary>Trivial file transfer protocol daemon</summary> ## <summary>Trivial file transfer protocol daemon</summary>
########################################
## <summary>
## Read tftp content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tftp_read_content',`
gen_require(`
type tftpdir_t;
')
read_files_pattern($1, tftpdir_t, tftpdir_t)
')
######################################## ########################################
## <summary> ## <summary>
## All of the rules required to administrate ## All of the rules required to administrate

View File

@ -1,5 +1,5 @@
policy_module(tftp, 1.10.2) policy_module(tftp, 1.10.3)
######################################## ########################################
# #

View File

@ -60,6 +60,25 @@ interface(`ulogd_read_log',`
read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
') ')
#######################################
## <summary>
## Allow the specified domain to search ulogd's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`ulogd_search_log',`
gen_require(`
type ulogd_var_log_t;
')
logging_search_logs($1)
allow $1 ulogd_var_log_t:dir search_dir_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Allow the specified domain to append to ulogd's log files. ## Allow the specified domain to append to ulogd's log files.

View File

@ -1,5 +1,5 @@
policy_module(ulogd, 1.0.0) policy_module(ulogd, 1.0.1)
######################################## ########################################
# #

View File

@ -12,7 +12,7 @@
# #
interface(`zosremote_domtrans',` interface(`zosremote_domtrans',`
gen_require(` gen_require(`
type zos_remote_t, type zos_remote_exec_t; type zos_remote_t, zos_remote_exec_t;
') ')
domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)

View File

@ -1,4 +1,4 @@
policy_module(zosremote,1.0.0) policy_module(zosremote, 1.0.1)
######################################## ########################################
# #