add raid (mdadm)

This commit is contained in:
Chris PeBenito 2005-07-15 20:45:26 +00:00
parent d9fd8e7562
commit 50aca6d2f9
7 changed files with 167 additions and 6 deletions

View File

@ -6,6 +6,7 @@
ipsec ipsec
nscd nscd
pcmcia pcmcia
raid
20050707 (7 Jul 2005) 20050707 (7 Jul 2005)
* Changed xml to have modules encapsulated by layer tags, rather * Changed xml to have modules encapsulated by layer tags, rather

View File

@ -1,9 +1,9 @@
## <summary>Policy for dmesg.</summary> ## <summary>Policy for dmesg.</summary>
######################################## ########################################
## <desc> ## <summary>
## Execute dmesg in the dmesg domain. ## Execute dmesg in the dmesg domain.
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
@ -26,9 +26,9 @@ interface(`dmesg_domtrans',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Execute dmesg in the caller domain. ## Execute dmesg in the caller domain.
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>

View File

@ -403,6 +403,25 @@ interface(`kernel_read_software_raid_state',`
allow $1 proc_mdstat_t:file r_file_perms; allow $1 proc_mdstat_t:file r_file_perms;
') ')
#######################################
## <summary>
## Allow caller to read and set the state information for software raid.
## </summary>
## <param name="domain">
## The process type reading software raid state.
## </param>
#
interface(`kernel_rw_software_raid_state',`
gen_require(`
type proc_t, proc_mdstat_t;
class dir r_dir_perms;
class file rw_file_perms;
')
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_mdstat_t:file rw_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Allows caller to get attribues of core kernel interface. ## Allows caller to get attribues of core kernel interface.

View File

@ -0,0 +1,5 @@
/sbin/mdadm -- system_u:object_r:mdadm_exec_t
/sbin/mdmpd -- system_u:object_r:mdadm_exec_t
/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t

View File

@ -0,0 +1,26 @@
## <summary>RAID array management tools</summary>
########################################
## <summary>
## Execute software raid tools in the mdadm domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`raid_domtrans_mdadm',`
gen_require(`
type mdadm_t, mdadm_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
domain_auto_trans($1,mdadm_exec_t,mdadm_t)
allow $1 mdadm_t:fd use;
allow mdadm_t $1:fd use;
allow mdadm_t $1:fifo_file rw_file_perms;
allow mdadm_t $1:process sigchld;
')

View File

@ -0,0 +1,89 @@
#DESC mdadm - Linux RAID tool
#
# Author: Colin Walters <walters@redhat.com>
#
type mdadm_t;
type mdadm_exec_t;
init_daemon_domain(mdadm_t,mdadm_exec_t)
role system_r types mdadm_t;
type mdadm_var_run_t;
files_pid_file(mdadm_var_run_t)
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
allow mdadm_t mdadm_var_run_t:file create_file_perms;
files_create_pid(mdadm_t,mdadm_var_run_t)
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctl(mdadm_t)
kernel_rw_software_raid_state(mdadm_t)
dev_read_sysfs(mdadm_t)
# Ignore attempts to read every device file
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
fs_search_auto_mountpoints(mdadm_t)
# RAID block device access
storage_manage_fixed_disk(mdadm_t)
term_dontaudit_use_console(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
# Helper program access
corecmd_exec_bin(mdadm_t)
corecmd_exec_sbin(mdadm_t)
domain_use_wide_inherit_fd(mdadm_t)
files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
init_use_fd(mdadm_t)
init_use_script_pty(mdadm_t)
init_dontaudit_getattr_initctl(mdadm_t)
libs_use_ld_so(mdadm_t)
libs_use_shared_libs(mdadm_t)
logging_send_syslog_msg(mdadm_t)
miscfiles_read_localization(mdadm_t)
userdom_dontaudit_use_unpriv_user_fd(mdadm_t)
userdom_dontaudit_use_sysadm_tty(mdadm_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(mdadm_t)
term_dontaudit_use_generic_pty(mdadm_t)
files_dontaudit_read_root_file(mdadm_t)
')
optional_policy(`rhgb.te',`
rhgb_domain(mdadm_t)
')
optional_policy(`selinux.te',`
seutil_sigchld_newrole(mdadm_t)
')
optional_policy(`udev.te', `
udev_read_db(mdadm_t)
')
ifdef(`TODO',`
allow initrc_t mdadm_var_run_t:file create_file_perms;
# Ignore attempts to read every device file
dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
# Other random ignores
dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
allow mdadm_t var_t:dir getattr;
') dnl TODO

View File

@ -1015,6 +1015,27 @@ interface(`userdom_use_sysadm_tty',`
') ')
') ')
########################################
## <summary>
## Do not audit attempts to use sysadm ttys.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_use_sysadm_tty',`
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty($1)
',`
gen_require(`
attribute sysadm_tty_device_t;
class chr_file { read write };
')
dontaudit $1 sysadm_tty_device_t:chr_file { read write };
')
')
######################################## ########################################
## <summary> ## <summary>
## Read and write sysadm ptys. ## Read and write sysadm ptys.
@ -1053,10 +1074,10 @@ interface(`userdom_use_sysadm_terms',`
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to use admin ttys and ptys. ## Do not audit attempts to use sysadm ttys and ptys.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## Domain to not audit.
## </param> ## </param>
# #
interface(`userdom_dontaudit_use_sysadm_terms',` interface(`userdom_dontaudit_use_sysadm_terms',`