- Move booleans and tunables to modules when it is only used in a single
module. - Add support for tunables and booleans local to a module.
This commit is contained in:
parent
8021cb4f63
commit
56e1b3d207
@ -1,3 +1,6 @@
|
|||||||
|
- Move booleans and tunables to modules when it is only used in a single
|
||||||
|
module.
|
||||||
|
- Add support for tunables and booleans local to a module.
|
||||||
- Merge sbin_t and ls_exec_t into bin_t.
|
- Merge sbin_t and ls_exec_t into bin_t.
|
||||||
- Remove disable_trans booleans.
|
- Remove disable_trans booleans.
|
||||||
- Output different header sets for kernel and userland from flask headers.
|
- Output different header sets for kernel and userland from flask headers.
|
||||||
|
41
Makefile
41
Makefile
@ -108,7 +108,7 @@ genhomedircon := $(PYTHON) -E $(support)/genhomedircon
|
|||||||
# documentation paths
|
# documentation paths
|
||||||
docs := doc
|
docs := doc
|
||||||
xmldtd = $(docs)/policy.dtd
|
xmldtd = $(docs)/policy.dtd
|
||||||
layerxml = metadata.xml
|
metaxml = metadata.xml
|
||||||
doctemplate = $(docs)/templates
|
doctemplate = $(docs)/templates
|
||||||
docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)
|
docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)
|
||||||
|
|
||||||
@ -254,6 +254,10 @@ generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in
|
|||||||
# when a generated file is already generated
|
# when a generated file is already generated
|
||||||
detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
|
detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
|
||||||
|
|
||||||
|
modxml := $(detected_mods:.te=.xml)
|
||||||
|
layerxml := $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers))))
|
||||||
|
all_metaxml := $(addsuffix /$(metaxml), $(all_layers))
|
||||||
|
|
||||||
# modules.conf setting for base module
|
# modules.conf setting for base module
|
||||||
configbase := base
|
configbase := base
|
||||||
|
|
||||||
@ -408,23 +412,36 @@ $(fcsort) : $(support)/fc_sort.c
|
|||||||
# Documentation generation
|
# Documentation generation
|
||||||
#
|
#
|
||||||
|
|
||||||
# minimal dependencies here, because we don't want to rebuild
|
$(modxml): %.xml: %.if %.te
|
||||||
# this and its dependents every time the dependencies
|
$(verbose) $(genxml) -w -m $* > $@
|
||||||
# change. Also use all .if files here, rather then just the
|
|
||||||
# enabled modules.
|
$(layerxml): %.xml: $(modxml) $(all_metaxml)
|
||||||
xml: $(polxml)
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||||
$(polxml): $(detected_mods:.te=.if) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
|
$(verbose) echo '<layer name="$(*F)">' > $@
|
||||||
|
$(verbose) cat $(addprefix $(moddir)/, $(notdir $*))/$(metaxml) >> $@
|
||||||
|
$(verbose) cat $(filter-out $(addprefix $(moddir)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(moddir)/, $(notdir $*))/%, $(modxml))) >> $@
|
||||||
|
$(verbose) echo '</layer>' >> $@
|
||||||
|
|
||||||
|
$(tunxml): $(globaltun)
|
||||||
|
$(verbose) $(genxml) -w -t $< > $@
|
||||||
|
|
||||||
|
$(boolxml): $(globalbool)
|
||||||
|
$(verbose) $(genxml) -w -b $< > $@
|
||||||
|
|
||||||
|
$(polxml): $(layerxml) $(tunxml) $(boolxml)
|
||||||
@echo "Creating $(@F)"
|
@echo "Creating $(@F)"
|
||||||
@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
|
@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
|
||||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||||
$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
|
$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
|
||||||
$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
|
$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
|
||||||
$(verbose) $(genxml) -w -m $(layerxml) -t $(globaltun) -b $(globalbool) -o $(docs) $(all_layers) >> $@
|
$(verbose) echo '<policy>' >> $@
|
||||||
|
$(verbose) cat $(layerxml) $(tunxml) $(boolxml) >> $@
|
||||||
|
$(verbose) echo '</policy>' >> $@
|
||||||
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
|
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
|
||||||
$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
|
$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
|
||||||
fi
|
fi
|
||||||
|
|
||||||
$(tunxml) $(boolxml): $(polxml)
|
xml: $(polxml)
|
||||||
|
|
||||||
html $(tmpdir)/html: $(polxml)
|
html $(tmpdir)/html: $(polxml)
|
||||||
@echo "Building html interface reference documentation in $(htmldir)"
|
@echo "Building html interface reference documentation in $(htmldir)"
|
||||||
@ -517,7 +534,7 @@ $(contextpath)/users/%: $(appconf)/%_default_contexts
|
|||||||
#
|
#
|
||||||
# Install policy headers
|
# Install policy headers
|
||||||
#
|
#
|
||||||
install-headers: $(tunxml) $(boolxml)
|
install-headers: $(layerxml) $(tunxml) $(boolxml)
|
||||||
@mkdir -p $(headerdir)
|
@mkdir -p $(headerdir)
|
||||||
@echo "Installing $(TYPE) policy headers."
|
@echo "Installing $(TYPE) policy headers."
|
||||||
$(verbose) $(INSTALL) -m 644 $(tunxml) $(boolxml) $(headerdir)
|
$(verbose) $(INSTALL) -m 644 $(tunxml) $(boolxml) $(headerdir)
|
||||||
@ -528,7 +545,7 @@ install-headers: $(tunxml) $(boolxml)
|
|||||||
$(verbose) for i in $(notdir $(all_layers)); do \
|
$(verbose) for i in $(notdir $(all_layers)); do \
|
||||||
mkdir -p $(headerdir)/$$i ;\
|
mkdir -p $(headerdir)/$$i ;\
|
||||||
$(INSTALL) -m 644 $(moddir)/$$i/*.if \
|
$(INSTALL) -m 644 $(moddir)/$$i/*.if \
|
||||||
$(moddir)/$$i/metadata.xml \
|
$(moddir)/$$i/*.xml \
|
||||||
$(headerdir)/$$i ;\
|
$(headerdir)/$$i ;\
|
||||||
done
|
done
|
||||||
$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
|
$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
|
||||||
@ -620,6 +637,8 @@ resetlabels:
|
|||||||
#
|
#
|
||||||
bare: clean
|
bare: clean
|
||||||
rm -f $(polxml)
|
rm -f $(polxml)
|
||||||
|
rm -f $(layerxml)
|
||||||
|
rm -f $(modxml)
|
||||||
rm -f $(tunxml)
|
rm -f $(tunxml)
|
||||||
rm -f $(boolxml)
|
rm -f $(boolxml)
|
||||||
rm -f $(mod_conf)
|
rm -f $(mod_conf)
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
<!ELEMENT layer (summary,module+)>
|
<!ELEMENT layer (summary,module+)>
|
||||||
<!ATTLIST layer
|
<!ATTLIST layer
|
||||||
name CDATA #REQUIRED>
|
name CDATA #REQUIRED>
|
||||||
<!ELEMENT module (summary,desc?,required?,(interface|template)*)>
|
<!ELEMENT module (summary,desc?,required?,(interface|template)*,(bool|tunable)*)>
|
||||||
<!ATTLIST module
|
<!ATTLIST module
|
||||||
name CDATA #REQUIRED
|
name CDATA #REQUIRED
|
||||||
filename CDATA #REQUIRED>
|
filename CDATA #REQUIRED>
|
||||||
|
23
doc/templates/bool_list.html
vendored
Normal file
23
doc/templates/bool_list.html
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
<h3>Master boolean index:</h3>
|
||||||
|
|
||||||
|
[[for bool in booleans]]
|
||||||
|
<div id="interfacesmall">
|
||||||
|
[[if bool.has_key('mod_layer')]]
|
||||||
|
Module: <a href='[[bool['mod_layer']+ "_" + bool['mod_name'] + ".html#link_" + bool['bool_name']]]'>
|
||||||
|
[[bool['mod_name']]]</a><p/>
|
||||||
|
Layer: <a href='[[bool['mod_layer']]].html'>
|
||||||
|
[[bool['mod_layer']]]</a><p/>
|
||||||
|
[[else]]
|
||||||
|
Global
|
||||||
|
[[end]]
|
||||||
|
<div id="codeblock">
|
||||||
|
[[bool['bool_name']]]
|
||||||
|
<small>(Default: [[bool['def_val']]])</small>
|
||||||
|
</div>
|
||||||
|
[[if bool['desc']]]
|
||||||
|
<div id="description">
|
||||||
|
[[bool['desc']]]
|
||||||
|
</div>
|
||||||
|
[[end]]
|
||||||
|
</div>
|
||||||
|
[[end]]
|
13
doc/templates/boolean.html
vendored
Normal file
13
doc/templates/boolean.html
vendored
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
[[for bool in booleans]]
|
||||||
|
<a name="link_[[bool['bool_name']]]"></a>
|
||||||
|
<div id="interface">
|
||||||
|
<div id="codeblock">[[bool['bool_name']]]</div>
|
||||||
|
<div id="description">
|
||||||
|
<h5>Default value</h5>
|
||||||
|
<p>[[bool['def_val']]]</p>
|
||||||
|
[[if bool['desc']]]
|
||||||
|
<h5>Description</h5>
|
||||||
|
[[bool['desc']]]
|
||||||
|
[[end]]
|
||||||
|
</div></div>
|
||||||
|
[[end]]
|
4
doc/templates/menu.html
vendored
4
doc/templates/menu.html
vendored
@ -16,6 +16,10 @@
|
|||||||
<p/><br/><p/>
|
<p/><br/><p/>
|
||||||
<a href="index.html">* Layer Index</a>
|
<a href="index.html">* Layer Index</a>
|
||||||
<br/><p/>
|
<br/><p/>
|
||||||
|
<a href="booleans.html">* Boolean Index</a>
|
||||||
|
<br/><p/>
|
||||||
|
<a href="tunables.html">* Tunable Index</a>
|
||||||
|
<br/><p/>
|
||||||
<a href="interfaces.html">* Interface Index</a>
|
<a href="interfaces.html">* Interface Index</a>
|
||||||
<br/><p/>
|
<br/><p/>
|
||||||
<a href="templates.html">* Template Index</a>
|
<a href="templates.html">* Template Index</a>
|
||||||
|
27
doc/templates/module.html
vendored
27
doc/templates/module.html
vendored
@ -1,8 +1,16 @@
|
|||||||
<a name="top":></a>
|
<a name="top":></a>
|
||||||
<h1>Layer: [[mod_layer]]</h1><p/>
|
<h1>Layer: [[mod_layer]]</h1><p/>
|
||||||
<h2>Module: [[mod_name]]</h2><p/>
|
<h2>Module: [[mod_name]]</h2><p/>
|
||||||
[[if interfaces and templates]]
|
[[if booleans]]
|
||||||
|
<a href=#booleans>Booleans</a>
|
||||||
|
[[end]]
|
||||||
|
[[if tunables]]
|
||||||
|
<a href=#tunables>Tunables</a>
|
||||||
|
[[end]]
|
||||||
|
[[if interfaces]]
|
||||||
<a href=#interfaces>Interfaces</a>
|
<a href=#interfaces>Interfaces</a>
|
||||||
|
[[end]]
|
||||||
|
[[if templates]]
|
||||||
<a href=#templates>Templates</a>
|
<a href=#templates>Templates</a>
|
||||||
[[end]]
|
[[end]]
|
||||||
<h3>Description:</h3>
|
<h3>Description:</h3>
|
||||||
@ -14,6 +22,19 @@
|
|||||||
[[if mod_req]]
|
[[if mod_req]]
|
||||||
<p>This module is required to be included in all policies.</p>
|
<p>This module is required to be included in all policies.</p>
|
||||||
[[end]]
|
[[end]]
|
||||||
|
<hr>
|
||||||
|
[[if booleans]]
|
||||||
|
<a name="booleans"></a>
|
||||||
|
<h3>Booleans: </h3>
|
||||||
|
[[booleans]]
|
||||||
|
<a href=#top>Return</a>
|
||||||
|
[[end]]
|
||||||
|
[[if tunables]]
|
||||||
|
<a name="tunables"></a>
|
||||||
|
<h3>Tunables: </h3>
|
||||||
|
[[tunables]]
|
||||||
|
<a href=#top>Return</a>
|
||||||
|
[[end]]
|
||||||
[[if interfaces]]
|
[[if interfaces]]
|
||||||
<a name="interfaces"></a>
|
<a name="interfaces"></a>
|
||||||
<h3>Interfaces: </h3>
|
<h3>Interfaces: </h3>
|
||||||
@ -26,6 +47,6 @@
|
|||||||
[[templates]]
|
[[templates]]
|
||||||
<a href=#top>Return</a>
|
<a href=#top>Return</a>
|
||||||
[[end]]
|
[[end]]
|
||||||
[[if not templates and not interfaces]]
|
[[if not templates and not interfaces and not tunables]]
|
||||||
<h3>No interfaces or templates.</h3>
|
<h3>No booleans, tunables, interfaces, or templates.</h3>
|
||||||
[[end]]
|
[[end]]
|
||||||
|
23
doc/templates/tun_list.html
vendored
Normal file
23
doc/templates/tun_list.html
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
<h3>Master tunable index:</h3>
|
||||||
|
|
||||||
|
[[for tun in tunables]]
|
||||||
|
<div id="interfacesmall">
|
||||||
|
[[if tun.has_key('mod_layer')]]
|
||||||
|
Module: <a href='[[tun['mod_layer']+ "_" + tun['mod_name'] + ".html#link_" + tun['tun_name']]]'>
|
||||||
|
[[tun['mod_name']]]</a><p/>
|
||||||
|
Layer: <a href='[[tun['mod_layer']]].html'>
|
||||||
|
[[tun['mod_layer']]]</a><p/>
|
||||||
|
[[else]]
|
||||||
|
Global
|
||||||
|
[[end]]
|
||||||
|
<div id="codeblock">
|
||||||
|
[[tun['tun_name']]]
|
||||||
|
<small>(Default: [[tun['def_val']]])</small>
|
||||||
|
</div>
|
||||||
|
[[if tun['desc']]]
|
||||||
|
<div id="description">
|
||||||
|
[[tun['desc']]]
|
||||||
|
</div>
|
||||||
|
[[end]]
|
||||||
|
</div>
|
||||||
|
[[end]]
|
13
doc/templates/tunable.html
vendored
Normal file
13
doc/templates/tunable.html
vendored
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
[[for tun in tunables]]
|
||||||
|
<a name="link_[[tun['tun_name']]]"></a>
|
||||||
|
<div id="interface">
|
||||||
|
<div id="codeblock">[[tun['tun_name']]]</div>
|
||||||
|
<div id="description">
|
||||||
|
<h5>Default value</h5>
|
||||||
|
<p>[[tun['def_val']]]</p>
|
||||||
|
[[if tun['desc']]]
|
||||||
|
<h5>Description</h5>
|
||||||
|
[[tun['desc']]]
|
||||||
|
[[end]]
|
||||||
|
</div></div>
|
||||||
|
[[end]]
|
@ -9,22 +9,6 @@
|
|||||||
# Common tunables
|
# Common tunables
|
||||||
#
|
#
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow cvs daemon to read shadow
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
#
|
|
||||||
gen_tunable(allow_cvs_read_shadow,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow zebra daemon to write it configuration files
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
#
|
|
||||||
gen_tunable(allow_zebra_write_config,false)
|
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow making the heap executable.
|
## Allow making the heap executable.
|
||||||
@ -56,82 +40,6 @@ gen_tunable(allow_execmod,false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_execstack,false)
|
gen_tunable(allow_execstack,false)
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow ftp servers to modify public files
|
|
||||||
## used for public file transfer services.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_ftpd_anon_write,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow ftp servers to login to local users and
|
|
||||||
## read/write all files on the system, governed by DAC.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_ftpd_full_access,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow ftp servers to use cifs
|
|
||||||
## used for public file transfer services.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_ftpd_use_cifs,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow ftp servers to use nfs
|
|
||||||
## used for public file transfer services.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_ftpd_use_nfs,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow gssd to read temp directory.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_gssd_read_tmp,true)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow Apache to modify public files
|
|
||||||
## used for public file transfer services.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_httpd_anon_write,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow Apache to use mod_auth_pam
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_httpd_mod_auth_pam,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow java executable stack
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_java_execstack,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow system to run with kerberos
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_kerberos,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow nfs servers to modify public files
|
|
||||||
## used for public file transfer services.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_nfsd_anon_write,false)
|
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Enable polyinstantiated directory support.
|
## Enable polyinstantiated directory support.
|
||||||
@ -139,30 +47,6 @@ gen_tunable(allow_nfsd_anon_write,false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_polyinstantiation,false)
|
gen_tunable(allow_polyinstantiation,false)
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow rsync to modify public files
|
|
||||||
## used for public file transfer services.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_rsync_anon_write,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow sasl to read shadow
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_saslauthd_read_shadow,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow samba to modify public files
|
|
||||||
## used for public file transfer services.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_smbd_anon_write,false)
|
|
||||||
|
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow system to run with NIS
|
## Allow system to run with NIS
|
||||||
@ -170,28 +54,6 @@ gen_tunable(allow_smbd_anon_write,false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_ypbind,false)
|
gen_tunable(allow_ypbind,false)
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Enable extra rules in the cron domain
|
|
||||||
## to support fcron.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(fcron_crond,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow ftp to read and write files in the user home directories
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(ftp_home_dir,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow ftpd to run directly without inetd
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(ftpd_is_daemon,false)
|
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Enable reading of urandom for all domains.
|
## Enable reading of urandom for all domains.
|
||||||
@ -205,85 +67,6 @@ gen_tunable(ftpd_is_daemon,false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(global_ssp,false)
|
gen_tunable(global_ssp,false)
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow httpd to use built in scripting (usually php)
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(httpd_builtin_scripting,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow http daemon to tcp connect
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(httpd_can_network_connect,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow httpd to connect to mysql/posgresql
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(httpd_can_network_connect_db, false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow httpd to act as a relay
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(httpd_can_network_relay, false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow httpd cgi support
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(httpd_enable_cgi,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow httpd to act as a FTP server by
|
|
||||||
## listening on the ftp port.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(httpd_enable_ftp_server,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow httpd to read home directories
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(httpd_enable_homedirs,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Run SSI execs in system CGI script domain.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(httpd_ssi_exec,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow http daemon to communicate with the TTY
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(httpd_tty_comm,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Run CGI in the main httpd domain
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(httpd_unified,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow BIND to write the master zone files.
|
|
||||||
## Generally this is used for dynamic DNS.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(named_write_master_zones,false)
|
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow nfs to be exported read/write.
|
## Allow nfs to be exported read/write.
|
||||||
@ -298,13 +81,6 @@ gen_tunable(nfs_export_all_rw,false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(nfs_export_all_ro,false)
|
gen_tunable(nfs_export_all_ro,false)
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow pppd to load kernel modules for certain modems
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(pppd_can_insmod,false)
|
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow reading of default_t files.
|
## Allow reading of default_t files.
|
||||||
@ -312,43 +88,6 @@ gen_tunable(pppd_can_insmod,false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(read_default_t,false)
|
gen_tunable(read_default_t,false)
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow samba to export user home directories.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(samba_enable_home_dirs,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow samba to export NFS volumes.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(samba_share_nfs,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow squid to connect to all ports, not just
|
|
||||||
## HTTP, FTP, and Gopher ports.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(squid_connect_any,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow ssh logins as sysadm_r:sysadm_t
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(ssh_sysadm_login,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Configure stunnel to be a standalone daemon or
|
|
||||||
## inetd service.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(stunnel_is_daemon,false)
|
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Support NFS home directories
|
## Support NFS home directories
|
||||||
@ -363,115 +102,12 @@ gen_tunable(use_nfs_home_dirs,false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(use_samba_home_dirs,false)
|
gen_tunable(use_samba_home_dirs,false)
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow xdm logins as sysadm
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(xdm_sysadm_login,false)
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Strict policy specific
|
# Strict policy specific
|
||||||
#
|
#
|
||||||
|
|
||||||
ifdef(`strict_policy',`
|
ifdef(`strict_policy',`
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Control users use of ping and traceroute
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(user_ping,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow gpg executable stack
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_gpg_execstack,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow mplayer executable stack
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_mplayer_execstack,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow sysadm to ptrace all processes
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_ptrace,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## allow host key based authentication
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_ssh_keysign,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow users to connect to mysql
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_user_mysql_connect,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allows clients to write to the X server shared
|
|
||||||
## memory segments.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_write_xshm,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow cdrecord to read various content.
|
|
||||||
## nfs, samba, removable devices, user temp
|
|
||||||
## and untrusted content files
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(cdrecord_read_content,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow system cron jobs to relabel filesystem
|
|
||||||
## for restoring file contexts.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(cron_can_relabel,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## force to games to run in user_t
|
|
||||||
## mapping executable (text relocation).
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(disable_games_trans,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Disable transitions to evolution domains.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(disable_evolution_trans,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Disable transitions to user mozilla domains
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(disable_mozilla_trans,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Disable transitions to user thunderbird domains
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(disable_thunderbird_trans,false)
|
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow email client to various content.
|
## Allow email client to various content.
|
||||||
@ -481,20 +117,6 @@ gen_tunable(disable_thunderbird_trans,false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(mail_read_content,false)
|
gen_tunable(mail_read_content,false)
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Control mozilla content access
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(mozilla_read_content,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow pppd to be run for a regular user
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(pppd_for_user,false)
|
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow applications to read untrusted content
|
## Allow applications to read untrusted content
|
||||||
@ -504,65 +126,6 @@ gen_tunable(pppd_for_user,false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(read_untrusted_content,false)
|
gen_tunable(read_untrusted_content,false)
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow ssh to run from inetd instead of as a daemon.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(run_ssh_inetd,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow user spamassassin clients to use the network.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(spamassassin_can_network,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow staff_r users to search the sysadm home
|
|
||||||
## dir and read files (such as ~/.bashrc)
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(staff_read_sysadm_file,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Use lpd server instead of cups
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(use_lpd_server,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow regular users direct mouse access
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(user_direct_mouse,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow users to read system messages.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(user_dmesg,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow users to control network interfaces
|
|
||||||
## (also needs USERCTL=true)
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(user_net_control,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow user to r/w files on filesystems
|
|
||||||
## that do not have extended attributes (FAT, CDROM, FLOPPY)
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(user_rw_noexattrfile,false)
|
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow users to run TCP servers (bind to ports and accept connection from
|
## Allow users to run TCP servers (bind to ports and accept connection from
|
||||||
@ -572,13 +135,6 @@ gen_tunable(user_rw_noexattrfile,false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(user_tcp_server,false)
|
gen_tunable(user_tcp_server,false)
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow w to display everyone
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(user_ttyfile_stat,false)
|
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow applications to write untrusted content
|
## Allow applications to write untrusted content
|
||||||
@ -588,31 +144,3 @@ gen_tunable(user_ttyfile_stat,false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(write_untrusted_content,false)
|
gen_tunable(write_untrusted_content,false)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# Targeted policy specific
|
|
||||||
#
|
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow all daemons the ability to use unallocated ttys
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_daemons_use_tty,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow mount to mount any file
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(allow_mount_anyfile,false)
|
|
||||||
|
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## Allow spamd to read/write user home directories.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
gen_tunable(spamd_enable_home_dirs,true)
|
|
||||||
')
|
|
||||||
|
@ -1,11 +1,20 @@
|
|||||||
|
|
||||||
policy_module(netutils,1.3.0)
|
policy_module(netutils,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
ifdef(`strict_policy',`
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Control users use of ping and traceroute
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(user_ping,false)
|
||||||
|
')
|
||||||
|
|
||||||
type netutils_t;
|
type netutils_t;
|
||||||
type netutils_exec_t;
|
type netutils_exec_t;
|
||||||
init_system_domain(netutils_t,netutils_exec_t)
|
init_system_domain(netutils_t,netutils_exec_t)
|
||||||
|
@ -1,10 +1,21 @@
|
|||||||
|
|
||||||
policy_module(cdrecord,1.1.0)
|
policy_module(cdrecord,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
ifdef(`strict_policy',`
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow cdrecord to read various content.
|
||||||
|
## nfs, samba, removable devices, user temp
|
||||||
|
## and untrusted content files
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(cdrecord_read_content,false)
|
||||||
|
')
|
||||||
|
|
||||||
type cdrecord_exec_t;
|
type cdrecord_exec_t;
|
||||||
corecmd_executable_file(cdrecord_exec_t)
|
corecmd_executable_file(cdrecord_exec_t)
|
||||||
|
@ -187,7 +187,6 @@ template(`evolution_per_role_template',`
|
|||||||
corecmd_exec_shell($1_evolution_t)
|
corecmd_exec_shell($1_evolution_t)
|
||||||
# Run various programs
|
# Run various programs
|
||||||
corecmd_exec_bin($1_evolution_t)
|
corecmd_exec_bin($1_evolution_t)
|
||||||
corecmd_exec_bin($1_evolution_t)
|
|
||||||
|
|
||||||
corenet_non_ipsec_sendrecv($1_evolution_t)
|
corenet_non_ipsec_sendrecv($1_evolution_t)
|
||||||
corenet_tcp_sendrecv_generic_if($1_evolution_t)
|
corenet_tcp_sendrecv_generic_if($1_evolution_t)
|
||||||
@ -674,7 +673,8 @@ template(`evolution_per_role_template',`
|
|||||||
allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
|
allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
|
||||||
allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
|
allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
|
||||||
|
|
||||||
allow $1_evolution_server_t $2:fd use;
|
# Transition from user type
|
||||||
|
domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
|
||||||
|
|
||||||
kernel_read_system_state($1_evolution_server_t)
|
kernel_read_system_state($1_evolution_server_t)
|
||||||
|
|
||||||
@ -718,11 +718,6 @@ template(`evolution_per_role_template',`
|
|||||||
# until properly implemented
|
# until properly implemented
|
||||||
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_server_t)
|
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_server_t)
|
||||||
|
|
||||||
# Transition from user type
|
|
||||||
tunable_policy(`!disable_evolution_trans',`
|
|
||||||
domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
# Access evolution home
|
# Access evolution home
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_files($1_evolution_server_t)
|
fs_manage_nfs_files($1_evolution_server_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(evolution,1.1.1)
|
policy_module(evolution,1.1.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -84,6 +84,7 @@ template(`games_per_role_template',`
|
|||||||
|
|
||||||
can_exec($1_games_t, games_exec_t)
|
can_exec($1_games_t, games_exec_t)
|
||||||
|
|
||||||
|
domain_auto_trans($2, games_exec_t, $1_games_t)
|
||||||
allow $2 $1_games_t:unix_stream_socket connectto;
|
allow $2 $1_games_t:unix_stream_socket connectto;
|
||||||
allow $1_games_t $2:unix_stream_socket connectto;
|
allow $1_games_t $2:unix_stream_socket connectto;
|
||||||
|
|
||||||
@ -136,11 +137,6 @@ template(`games_per_role_template',`
|
|||||||
# Suppress .icons denial until properly implemented
|
# Suppress .icons denial until properly implemented
|
||||||
userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
|
userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
|
||||||
|
|
||||||
# Type transition
|
|
||||||
tunable_policy(`!disable_games_trans',`
|
|
||||||
domain_auto_trans($2, games_exec_t, $1_games_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
tunable_policy(`allow_execmem',`
|
tunable_policy(`allow_execmem',`
|
||||||
allow $1_games_t self:process execmem;
|
allow $1_games_t self:process execmem;
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(games,1.1.2)
|
policy_module(games,1.1.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,11 +1,18 @@
|
|||||||
|
|
||||||
policy_module(java,1.3.3)
|
policy_module(java,1.3.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow java executable stack
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_java_execstack,false)
|
||||||
|
|
||||||
type java_t;
|
type java_t;
|
||||||
type java_exec_t;
|
type java_exec_t;
|
||||||
init_system_domain(java_t,java_exec_t)
|
init_system_domain(java_t,java_exec_t)
|
||||||
|
@ -105,6 +105,10 @@ template(`mozilla_per_role_template',`
|
|||||||
|
|
||||||
allow $1_mozilla_t $2:process signull;
|
allow $1_mozilla_t $2:process signull;
|
||||||
|
|
||||||
|
domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
|
||||||
|
# Unrestricted inheritance from the caller.
|
||||||
|
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
|
||||||
|
|
||||||
# Allow the user domain to signal/ps.
|
# Allow the user domain to signal/ps.
|
||||||
ps_process_pattern($2,$1_mozilla_t)
|
ps_process_pattern($2,$1_mozilla_t)
|
||||||
allow $2 $1_mozilla_t:process signal_perms;
|
allow $2 $1_mozilla_t:process signal_perms;
|
||||||
@ -207,13 +211,6 @@ template(`mozilla_per_role_template',`
|
|||||||
fs_manage_cifs_symlinks($1_mozilla_t)
|
fs_manage_cifs_symlinks($1_mozilla_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# Type transition
|
|
||||||
tunable_policy(`! disable_mozilla_trans',`
|
|
||||||
domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
|
|
||||||
# Unrestricted inheritance from the caller.
|
|
||||||
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
|
|
||||||
')
|
|
||||||
|
|
||||||
# Uploads, local html
|
# Uploads, local html
|
||||||
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
|
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
|
||||||
fs_list_auto_mountpoints($1_mozilla_t)
|
fs_list_auto_mountpoints($1_mozilla_t)
|
||||||
|
@ -1,11 +1,20 @@
|
|||||||
|
|
||||||
policy_module(mozilla,1.1.1)
|
policy_module(mozilla,1.1.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
ifdef(`strict_policy',`
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Control mozilla content access
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(mozilla_read_content,false)
|
||||||
|
')
|
||||||
|
|
||||||
type mozilla_conf_t;
|
type mozilla_conf_t;
|
||||||
files_config_file(mozilla_conf_t)
|
files_config_file(mozilla_conf_t)
|
||||||
|
|
||||||
|
@ -1,11 +1,20 @@
|
|||||||
|
|
||||||
policy_module(mplayer,1.1.1)
|
policy_module(mplayer,1.1.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
ifdef(`strict_policy',`
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow mplayer executable stack
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_mplayer_execstack,false)
|
||||||
|
')
|
||||||
|
|
||||||
type mplayer_etc_t;
|
type mplayer_etc_t;
|
||||||
files_config_file(mplayer_etc_t)
|
files_config_file(mplayer_etc_t)
|
||||||
|
|
||||||
|
@ -77,6 +77,7 @@ template(`thunderbird_per_role_template',`
|
|||||||
manage_sock_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
|
manage_sock_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
|
||||||
fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||||
|
|
||||||
|
domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
|
||||||
allow $2 $1_thunderbird_t:fd use;
|
allow $2 $1_thunderbird_t:fd use;
|
||||||
allow $2 $1_thunderbird_t:shm { associate getattr };
|
allow $2 $1_thunderbird_t:shm { associate getattr };
|
||||||
allow $2 $1_thunderbird_t:unix_stream_socket connectto;
|
allow $2 $1_thunderbird_t:unix_stream_socket connectto;
|
||||||
@ -166,11 +167,6 @@ template(`thunderbird_per_role_template',`
|
|||||||
xserver_read_xdm_tmp_files($1_thunderbird_t)
|
xserver_read_xdm_tmp_files($1_thunderbird_t)
|
||||||
xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t)
|
xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t)
|
||||||
|
|
||||||
# Transition from user type
|
|
||||||
tunable_policy(`! disable_thunderbird_trans',`
|
|
||||||
domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
# Access ~/.thunderbird
|
# Access ~/.thunderbird
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs($1_thunderbird_t)
|
fs_manage_nfs_dirs($1_thunderbird_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(thunderbird,1.1.1)
|
policy_module(thunderbird,1.1.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,11 +1,21 @@
|
|||||||
|
|
||||||
policy_module(usernetctl,1.0.0)
|
policy_module(usernetctl,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
ifdef(`strict_policy',`
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow users to control network interfaces
|
||||||
|
## (also needs USERCTL=true)
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(user_net_control,false)
|
||||||
|
')
|
||||||
|
|
||||||
type usernetctl_t;
|
type usernetctl_t;
|
||||||
type usernetctl_exec_t;
|
type usernetctl_exec_t;
|
||||||
domain_type(usernetctl_t)
|
domain_type(usernetctl_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(apache,1.5.4)
|
policy_module(apache,1.5.5)
|
||||||
|
|
||||||
#
|
#
|
||||||
# NOTES:
|
# NOTES:
|
||||||
@ -20,6 +20,92 @@ policy_module(apache,1.5.4)
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow Apache to modify public files
|
||||||
|
## used for public file transfer services.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_httpd_anon_write,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow Apache to use mod_auth_pam
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_httpd_mod_auth_pam,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow httpd to use built in scripting (usually php)
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(httpd_builtin_scripting,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow http daemon to tcp connect
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(httpd_can_network_connect,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow httpd to connect to mysql/posgresql
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(httpd_can_network_connect_db, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow httpd to act as a relay
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(httpd_can_network_relay, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow httpd cgi support
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(httpd_enable_cgi,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow httpd to act as a FTP server by
|
||||||
|
## listening on the ftp port.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(httpd_enable_ftp_server,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow httpd to read home directories
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(httpd_enable_homedirs,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Run SSI execs in system CGI script domain.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(httpd_ssi_exec,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow http daemon to communicate with the TTY
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(httpd_tty_comm,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Run CGI in the main httpd domain
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(httpd_unified,false)
|
||||||
|
|
||||||
attribute httpdcontent;
|
attribute httpdcontent;
|
||||||
|
|
||||||
# domains that can exec all users scripts
|
# domains that can exec all users scripts
|
||||||
@ -507,13 +593,7 @@ allow httpd_suexec_t self:process signal_perms;
|
|||||||
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
|
allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
||||||
gen_tunable(httpd_suexec_disable_trans,false)
|
|
||||||
|
|
||||||
tunable_policy(`httpd_suexec_disable_trans',`',`
|
|
||||||
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
create_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
|
create_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
|
||||||
append_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
|
append_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
|
||||||
|
@ -1,11 +1,19 @@
|
|||||||
|
|
||||||
policy_module(bind,1.3.1)
|
policy_module(bind,1.3.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow BIND to write the master zone files.
|
||||||
|
## Generally this is used for dynamic DNS.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(named_write_master_zones,false)
|
||||||
|
|
||||||
# for DNSSEC key files
|
# for DNSSEC key files
|
||||||
type dnssec_t;
|
type dnssec_t;
|
||||||
files_security_file(dnssec_t)
|
files_security_file(dnssec_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(cron,1.5.1)
|
policy_module(cron,1.5.2)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -9,6 +9,23 @@ gen_require(`
|
|||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow system cron jobs to relabel filesystem
|
||||||
|
## for restoring file contexts.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(cron_can_relabel,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Enable extra rules in the cron domain
|
||||||
|
## to support fcron.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(fcron_crond,false)
|
||||||
|
|
||||||
attribute cron_spool_type;
|
attribute cron_spool_type;
|
||||||
|
|
||||||
type anacron_exec_t;
|
type anacron_exec_t;
|
||||||
|
@ -1,11 +1,18 @@
|
|||||||
|
|
||||||
policy_module(cvs,1.3.0)
|
policy_module(cvs,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow cvs daemon to read shadow
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_cvs_read_shadow,false)
|
||||||
|
|
||||||
type cvs_t;
|
type cvs_t;
|
||||||
type cvs_exec_t;
|
type cvs_exec_t;
|
||||||
inetd_tcp_service_domain(cvs_t,cvs_exec_t)
|
inetd_tcp_service_domain(cvs_t,cvs_exec_t)
|
||||||
|
@ -28,13 +28,11 @@ template(`ftp_per_role_template',`
|
|||||||
type ftpd_t;
|
type ftpd_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`ftpd_is_daemon',`
|
userdom_manage_user_home_content_files($1,ftpd_t)
|
||||||
userdom_manage_user_home_content_files($1,ftpd_t)
|
userdom_manage_user_home_content_symlinks($1,ftpd_t)
|
||||||
userdom_manage_user_home_content_symlinks($1,ftpd_t)
|
userdom_manage_user_home_content_sockets($1,ftpd_t)
|
||||||
userdom_manage_user_home_content_sockets($1,ftpd_t)
|
userdom_manage_user_home_content_pipes($1,ftpd_t)
|
||||||
userdom_manage_user_home_content_pipes($1,ftpd_t)
|
userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
|
||||||
userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
|
|
||||||
')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,11 +1,50 @@
|
|||||||
|
|
||||||
policy_module(ftp,1.4.3)
|
policy_module(ftp,1.4.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow ftp servers to modify public files
|
||||||
|
## used for public file transfer services.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_ftpd_anon_write,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow ftp servers to login to local users and
|
||||||
|
## read/write all files on the system, governed by DAC.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_ftpd_full_access,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow ftp servers to use cifs
|
||||||
|
## used for public file transfer services.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_ftpd_use_cifs,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow ftp servers to use nfs
|
||||||
|
## used for public file transfer services.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_ftpd_use_nfs,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow ftp to read and write files in the user home directories
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(ftp_home_dir,false)
|
||||||
|
|
||||||
type ftpd_t;
|
type ftpd_t;
|
||||||
type ftpd_exec_t;
|
type ftpd_exec_t;
|
||||||
init_daemon_domain(ftpd_t,ftpd_exec_t)
|
init_daemon_domain(ftpd_t,ftpd_exec_t)
|
||||||
@ -13,7 +52,6 @@ init_daemon_domain(ftpd_t,ftpd_exec_t)
|
|||||||
type ftpd_etc_t;
|
type ftpd_etc_t;
|
||||||
files_config_file(ftpd_etc_t)
|
files_config_file(ftpd_etc_t)
|
||||||
|
|
||||||
# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
|
|
||||||
type ftpd_lock_t;
|
type ftpd_lock_t;
|
||||||
files_lock_file(ftpd_lock_t)
|
files_lock_file(ftpd_lock_t)
|
||||||
|
|
||||||
@ -53,6 +91,9 @@ allow ftpd_t self:udp_socket create_socket_perms;
|
|||||||
|
|
||||||
allow ftpd_t ftpd_etc_t:file read_file_perms;
|
allow ftpd_t ftpd_etc_t:file read_file_perms;
|
||||||
|
|
||||||
|
allow ftpd_t ftpd_lock_t:file manage_file_perms;
|
||||||
|
files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
|
||||||
|
|
||||||
manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
|
manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
|
||||||
manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
|
manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
|
||||||
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
|
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
|
||||||
@ -198,13 +239,6 @@ tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
|
|||||||
fs_read_cifs_symlinks(ftpd_t)
|
fs_read_cifs_symlinks(ftpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`ftpd_is_daemon',`
|
|
||||||
allow ftpd_t ftpd_lock_t:file manage_file_perms;
|
|
||||||
files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
|
|
||||||
|
|
||||||
corenet_tcp_bind_ftp_port(ftpd_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
tunable_policy(`ftp_home_dir',`
|
tunable_policy(`ftp_home_dir',`
|
||||||
apache_search_sys_content(ftpd_t)
|
apache_search_sys_content(ftpd_t)
|
||||||
@ -232,17 +266,10 @@ optional_policy(`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
#reh: typeattributes not allowed in conditionals yet.
|
|
||||||
#tunable_policy(`! ftpd_is_daemon',`
|
|
||||||
# inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
|
|
||||||
#')
|
|
||||||
|
|
||||||
inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
|
inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
tunable_policy(`! ftpd_is_daemon',`
|
tcpd_domtrans(tcpd_t)
|
||||||
tcpd_domtrans(tcpd_t)
|
|
||||||
')
|
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(inetd,1.2.3)
|
policy_module(inetd,1.2.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -227,13 +227,6 @@ ifdef(`targeted_policy',`
|
|||||||
unconfined_domain(inetd_child_t)
|
unconfined_domain(inetd_child_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
tunable_policy(`ftpd_is_daemon',`
|
|
||||||
# Allows it to check exec privs on daemon
|
|
||||||
ftp_check_exec(inetd_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use(inetd_child_t)
|
kerberos_use(inetd_child_t)
|
||||||
')
|
')
|
||||||
|
@ -1,11 +1,18 @@
|
|||||||
|
|
||||||
policy_module(kerberos,1.3.3)
|
policy_module(kerberos,1.3.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow system to run with kerberos
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_kerberos,false)
|
||||||
|
|
||||||
type kadmind_t;
|
type kadmind_t;
|
||||||
type kadmind_exec_t;
|
type kadmind_exec_t;
|
||||||
init_daemon_domain(kadmind_t,kadmind_exec_t)
|
init_daemon_domain(kadmind_t,kadmind_exec_t)
|
||||||
|
@ -1,11 +1,18 @@
|
|||||||
|
|
||||||
policy_module(lpd,1.4.2)
|
policy_module(lpd,1.4.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Use lpd server instead of cups
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(use_lpd_server,false)
|
||||||
|
|
||||||
type checkpc_t;
|
type checkpc_t;
|
||||||
type checkpc_exec_t;
|
type checkpc_exec_t;
|
||||||
init_system_domain(checkpc_t,checkpc_exec_t)
|
init_system_domain(checkpc_t,checkpc_exec_t)
|
||||||
|
@ -1,11 +1,27 @@
|
|||||||
|
|
||||||
policy_module(ppp,1.3.1)
|
policy_module(ppp,1.3.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow pppd to load kernel modules for certain modems
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(pppd_can_insmod,false)
|
||||||
|
|
||||||
|
ifdef(`strict_policy',`
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow pppd to be run for a regular user
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(pppd_for_user,false)
|
||||||
|
')
|
||||||
|
|
||||||
# pppd_t is the domain for the pppd program.
|
# pppd_t is the domain for the pppd program.
|
||||||
# pppd_exec_t is the type of the pppd executable.
|
# pppd_exec_t is the type of the pppd executable.
|
||||||
type pppd_t;
|
type pppd_t;
|
||||||
@ -172,20 +188,6 @@ ifdef(`targeted_policy', `
|
|||||||
term_dontaudit_use_unallocated_ttys(pppd_t)
|
term_dontaudit_use_unallocated_ttys(pppd_t)
|
||||||
term_dontaudit_use_generic_ptys(pppd_t)
|
term_dontaudit_use_generic_ptys(pppd_t)
|
||||||
files_dontaudit_read_root_files(pppd_t)
|
files_dontaudit_read_root_files(pppd_t)
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
gen_require(`
|
|
||||||
bool postfix_disable_trans;
|
|
||||||
')
|
|
||||||
|
|
||||||
if(!postfix_disable_trans) {
|
|
||||||
postfix_domtrans_master(pppd_t)
|
|
||||||
}
|
|
||||||
')
|
|
||||||
',`
|
|
||||||
optional_policy(`
|
|
||||||
postfix_domtrans_master(pppd_t)
|
|
||||||
')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -210,6 +212,10 @@ optional_policy(`
|
|||||||
nscd_socket_use(pppd_t)
|
nscd_socket_use(pppd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
postfix_domtrans_master(pppd_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_sigchld_newrole(pppd_t)
|
seutil_sigchld_newrole(pppd_t)
|
||||||
')
|
')
|
||||||
|
@ -1,11 +1,26 @@
|
|||||||
|
|
||||||
policy_module(rpc,1.4.3)
|
policy_module(rpc,1.4.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow gssd to read temp directory.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_gssd_read_tmp,true)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow nfs servers to modify public files
|
||||||
|
## used for public file transfer services.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_nfsd_anon_write,false)
|
||||||
|
|
||||||
type exports_t;
|
type exports_t;
|
||||||
files_type(exports_t)
|
files_type(exports_t)
|
||||||
|
|
||||||
|
@ -1,11 +1,19 @@
|
|||||||
|
|
||||||
policy_module(rsync,1.3.1)
|
policy_module(rsync,1.3.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow rsync to modify public files
|
||||||
|
## used for public file transfer services.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_rsync_anon_write,false)
|
||||||
|
|
||||||
type rsync_t;
|
type rsync_t;
|
||||||
type rsync_exec_t;
|
type rsync_exec_t;
|
||||||
init_daemon_domain(rsync_t,rsync_exec_t)
|
init_daemon_domain(rsync_t,rsync_exec_t)
|
||||||
|
@ -1,11 +1,33 @@
|
|||||||
|
|
||||||
policy_module(samba,1.4.2)
|
policy_module(samba,1.4.3)
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow samba to modify public files
|
||||||
|
## used for public file transfer services.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_smbd_anon_write,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow samba to export user home directories.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(samba_enable_home_dirs,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow samba to export NFS volumes.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(samba_share_nfs,false)
|
||||||
|
|
||||||
type nmbd_t;
|
type nmbd_t;
|
||||||
type nmbd_exec_t;
|
type nmbd_exec_t;
|
||||||
init_daemon_domain(nmbd_t,nmbd_exec_t)
|
init_daemon_domain(nmbd_t,nmbd_exec_t)
|
||||||
|
@ -1,11 +1,18 @@
|
|||||||
|
|
||||||
policy_module(sasl,1.4.1)
|
policy_module(sasl,1.4.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow sasl to read shadow
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_saslauthd_read_shadow,false)
|
||||||
|
|
||||||
type saslauthd_t;
|
type saslauthd_t;
|
||||||
type saslauthd_exec_t;
|
type saslauthd_exec_t;
|
||||||
init_daemon_domain(saslauthd_t,saslauthd_exec_t)
|
init_daemon_domain(saslauthd_t,saslauthd_exec_t)
|
||||||
|
@ -1,11 +1,29 @@
|
|||||||
|
|
||||||
policy_module(spamassassin,1.5.5)
|
policy_module(spamassassin,1.5.6)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
ifdef(`strict_policy',`
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow user spamassassin clients to use the network.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(spamassassin_can_network,false)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow spamd to read/write user home directories.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(spamd_enable_home_dirs,true)
|
||||||
|
')
|
||||||
|
|
||||||
# spamassassin client executable
|
# spamassassin client executable
|
||||||
type spamc_exec_t;
|
type spamc_exec_t;
|
||||||
corecmd_executable_file(spamc_exec_t)
|
corecmd_executable_file(spamc_exec_t)
|
||||||
|
@ -1,11 +1,19 @@
|
|||||||
|
|
||||||
policy_module(squid,1.2.1)
|
policy_module(squid,1.2.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow squid to connect to all ports, not just
|
||||||
|
## HTTP, FTP, and Gopher ports.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(squid_connect_any,false)
|
||||||
|
|
||||||
type squid_t;
|
type squid_t;
|
||||||
type squid_exec_t;
|
type squid_exec_t;
|
||||||
init_daemon_domain(squid_t,squid_exec_t)
|
init_daemon_domain(squid_t,squid_exec_t)
|
||||||
|
@ -476,6 +476,7 @@ template(`ssh_server_template', `
|
|||||||
corenet_non_ipsec_sendrecv($1_t)
|
corenet_non_ipsec_sendrecv($1_t)
|
||||||
corenet_tcp_bind_all_nodes($1_t)
|
corenet_tcp_bind_all_nodes($1_t)
|
||||||
corenet_udp_bind_all_nodes($1_t)
|
corenet_udp_bind_all_nodes($1_t)
|
||||||
|
corenet_tcp_bind_ssh_port($1_t)
|
||||||
corenet_tcp_connect_all_ports($1_t)
|
corenet_tcp_connect_all_ports($1_t)
|
||||||
corenet_sendrecv_ssh_server_packets($1_t)
|
corenet_sendrecv_ssh_server_packets($1_t)
|
||||||
|
|
||||||
@ -517,25 +518,6 @@ template(`ssh_server_template', `
|
|||||||
fs_read_cifs_files($1_t)
|
fs_read_cifs_files($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# cjp: commenting out until typeattribute works in conditional
|
|
||||||
# and require block in optional else is resolved
|
|
||||||
#optional_policy(`
|
|
||||||
# tunable_policy(`run_ssh_inetd',`
|
|
||||||
# allow $1_t self:process signal;
|
|
||||||
# files_list_pids($1_t)
|
|
||||||
# ',`
|
|
||||||
# corenet_tcp_bind_ssh_port($1_t)
|
|
||||||
# init_use_fds($1_t)
|
|
||||||
# init_use_script_ptys($1_t)
|
|
||||||
# ')
|
|
||||||
#',`
|
|
||||||
# These rules should match the else block
|
|
||||||
# of the run_ssh_inetd tunable directly above
|
|
||||||
corenet_tcp_bind_ssh_port($1_t)
|
|
||||||
init_use_fds($1_t)
|
|
||||||
init_use_script_ptys($1_t)
|
|
||||||
#')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use($1_t)
|
kerberos_use($1_t)
|
||||||
')
|
')
|
||||||
|
@ -1,11 +1,25 @@
|
|||||||
|
|
||||||
policy_module(ssh,1.5.1)
|
policy_module(ssh,1.5.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## allow host key based authentication
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_ssh_keysign,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow ssh logins as sysadm_r:sysadm_t
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(ssh_sysadm_login,false)
|
||||||
|
|
||||||
attribute ssh_server;
|
attribute ssh_server;
|
||||||
|
|
||||||
# Type for the ssh-agent executable.
|
# Type for the ssh-agent executable.
|
||||||
@ -140,6 +154,8 @@ tunable_policy(`ssh_sysadm_login',`
|
|||||||
|
|
||||||
ifdef(`strict_policy',`
|
ifdef(`strict_policy',`
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
|
||||||
|
|
||||||
domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
|
domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
|
||||||
# Signal the user domains.
|
# Signal the user domains.
|
||||||
allow sshd_extern_t user_mini_domain:process signal;
|
allow sshd_extern_t user_mini_domain:process signal;
|
||||||
@ -159,15 +175,7 @@ ifdef(`strict_policy',`
|
|||||||
allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
|
allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
tunable_policy(`run_ssh_inetd',`
|
domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
|
||||||
domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
|
|
||||||
',`
|
|
||||||
domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
|
|
||||||
')
|
|
||||||
',`
|
|
||||||
# These rules should match the else block
|
|
||||||
# of the run_ssh_inetd tunable directly above
|
|
||||||
domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`direct_sysadm_daemon', `
|
ifdef(`direct_sysadm_daemon', `
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(stunnel,1.2.1)
|
policy_module(stunnel,1.2.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -127,13 +127,9 @@ ifdef(`distro_gentoo', `
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`stunnel_is_daemon',`
|
# hack since this port has no interfaces since it doesnt
|
||||||
allow stunnel_t self:tcp_socket create_stream_socket_perms;
|
# have net_contexts
|
||||||
|
gen_require(`
|
||||||
# hack since this port has no interfaces since it doesnt
|
type stunnel_port_t;
|
||||||
# have net_contexts
|
|
||||||
gen_require(`
|
|
||||||
type stunnel_port_t;
|
|
||||||
')
|
|
||||||
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
|
|
||||||
')
|
')
|
||||||
|
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
|
||||||
|
@ -1,11 +1,28 @@
|
|||||||
|
|
||||||
policy_module(xserver,1.3.3)
|
policy_module(xserver,1.3.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
ifdef(`strict_policy',`
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allows clients to write to the X server shared
|
||||||
|
## memory segments.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_write_xshm,false)
|
||||||
|
')
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow xdm logins as sysadm
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(xdm_sysadm_login,false)
|
||||||
|
|
||||||
attribute fonts_type;
|
attribute fonts_type;
|
||||||
attribute fonts_cache_type;
|
attribute fonts_cache_type;
|
||||||
attribute fonts_config_type;
|
attribute fonts_config_type;
|
||||||
|
@ -1,11 +1,19 @@
|
|||||||
|
|
||||||
policy_module(zebra,1.3.1)
|
policy_module(zebra,1.3.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow zebra daemon to write it configuration files
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
#
|
||||||
|
gen_tunable(allow_zebra_write_config,false)
|
||||||
|
|
||||||
type zebra_t;
|
type zebra_t;
|
||||||
type zebra_exec_t;
|
type zebra_exec_t;
|
||||||
init_daemon_domain(zebra_t,zebra_exec_t)
|
init_daemon_domain(zebra_t,zebra_exec_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(init,1.5.4)
|
policy_module(init,1.5.5)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -10,6 +10,15 @@ gen_require(`
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow all daemons the ability to use unallocated ttys
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_daemons_use_tty,false)
|
||||||
|
')
|
||||||
|
|
||||||
# used for direct running of init scripts
|
# used for direct running of init scripts
|
||||||
# by admin domains
|
# by admin domains
|
||||||
attribute direct_run_init;
|
attribute direct_run_init;
|
||||||
|
@ -1,11 +1,20 @@
|
|||||||
|
|
||||||
policy_module(mount,1.5.0)
|
policy_module(mount,1.5.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow mount to mount any file
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_mount_anyfile,false)
|
||||||
|
')
|
||||||
|
|
||||||
type mount_t;
|
type mount_t;
|
||||||
type mount_exec_t;
|
type mount_exec_t;
|
||||||
init_system_domain(mount_t,mount_exec_t)
|
init_system_domain(mount_t,mount_exec_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(userdomain,2.1.2)
|
policy_module(userdomain,2.1.3)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r;
|
role sysadm_r, staff_r, user_r;
|
||||||
@ -15,6 +15,51 @@ gen_require(`
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
ifdef(`strict_policy',`
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow sysadm to ptrace all processes
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_ptrace,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow users to connect to mysql
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_user_mysql_connect,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow regular users direct mouse access
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(user_direct_mouse,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow users to read system messages.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(user_dmesg,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow user to r/w files on filesystems
|
||||||
|
## that do not have extended attributes (FAT, CDROM, FLOPPY)
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(user_rw_noexattrfile,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow w to display everyone
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(user_ttyfile_stat,false)
|
||||||
|
')
|
||||||
|
|
||||||
# admin users terminals (tty and pty)
|
# admin users terminals (tty and pty)
|
||||||
attribute admin_terminal;
|
attribute admin_terminal;
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
|
|||||||
docs = doc
|
docs = doc
|
||||||
polxml = $(docs)/policy.xml
|
polxml = $(docs)/policy.xml
|
||||||
xmldtd = $(HEADERDIR)/support/policy.dtd
|
xmldtd = $(HEADERDIR)/support/policy.dtd
|
||||||
layerxml = metadata.xml
|
metaxml = metadata.xml
|
||||||
|
|
||||||
globaltun = $(HEADERDIR)/global_tunables.xml
|
globaltun = $(HEADERDIR)/global_tunables.xml
|
||||||
globalbool = $(HEADERDIR)/global_booleans.xml
|
globalbool = $(HEADERDIR)/global_booleans.xml
|
||||||
@ -84,26 +84,41 @@ M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$
|
|||||||
|
|
||||||
# policy headers
|
# policy headers
|
||||||
m4support = $(wildcard $(HEADERDIR)/support/*.spt)
|
m4support = $(wildcard $(HEADERDIR)/support/*.spt)
|
||||||
|
|
||||||
all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
|
all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
|
||||||
all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
|
all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
|
||||||
rolemap = $(HEADERDIR)/rolemap
|
rolemap = $(HEADERDIR)/rolemap
|
||||||
|
|
||||||
detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
|
detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
|
||||||
|
|
||||||
|
clayers = $(addprefix $(CURDIR)/, $(filter $(notdir $(detected_layers)), $(notdir $(all_layers))))
|
||||||
|
all_layers_subset = $(addprefix $(HEADERDIR)/, $(filter-out $(notdir $(detected_layers)), $(notdir $(all_layers))))
|
||||||
|
detected_layers_subset = $(addprefix $(CURDIR)/, $(filter-out $(notdir $(clayers)), $(notdir $(detected_layers))))
|
||||||
|
|
||||||
3rd_party_mods = $(wildcard *.te)
|
3rd_party_mods = $(wildcard *.te)
|
||||||
detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
|
detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
|
||||||
|
detected_mods_subset = $(3rd_party_mods) $(foreach layer,$(detected_layers_subset),$(wildcard $(layer)/*.te))
|
||||||
|
|
||||||
detected_ifs = $(detected_mods:.te=.if)
|
detected_ifs = $(detected_mods:.te=.if)
|
||||||
detected_fcs = $(detected_mods:.te=.fc)
|
detected_fcs = $(detected_mods:.te=.fc)
|
||||||
all_packages = $(notdir $(detected_mods:.te=.pp))
|
all_packages = $(notdir $(detected_mods:.te=.pp))
|
||||||
|
|
||||||
|
modxml = $(addprefix $(CURDIR)/, $(detected_mods_subset:.te=.xml))
|
||||||
|
layerxml = $(addprefix tmp/, $(notdir $(addsuffix .xml, $(detected_layers_subset) $(CURDIR))))
|
||||||
|
|
||||||
|
hmodxml = $(all_interfaces:.if=.xml)
|
||||||
|
hlayerxml = $(addsuffix .xml, $(addprefix tmp/, $(notdir $(all_layers_subset))))
|
||||||
|
hmetaxml = $(foreach layer, $(all_layers_subset), $(layer)/$(metaxml))
|
||||||
|
|
||||||
|
cmods = $(foreach layer, $(clayers), $(wildcard $(layer)/*.te))
|
||||||
|
cmodxml = $(cmods:.te=.xml)
|
||||||
|
clayerxml= $(addsuffix .xml, $(addprefix tmp/, $(notdir $(clayers))))
|
||||||
|
cmetaxml = $(foreach layer, $(notdir $(clayers)), $(HEADERDIR)/$(layer)/$(metaxml))
|
||||||
|
|
||||||
vpath %.te $(detected_layers)
|
vpath %.te $(detected_layers)
|
||||||
vpath %.if $(detected_layers)
|
vpath %.if $(detected_layers)
|
||||||
vpath %.fc $(detected_layers)
|
vpath %.fc $(detected_layers)
|
||||||
|
|
||||||
# if there are modules in the current directory, add them into the third party layer
|
|
||||||
ifneq "$(3rd_party_mods)" ""
|
|
||||||
genxml += -3 .
|
|
||||||
endif
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Functions
|
# Functions
|
||||||
@ -197,18 +212,45 @@ $(detected_ifs) $(detected_fcs):
|
|||||||
# Documentation generation
|
# Documentation generation
|
||||||
#
|
#
|
||||||
|
|
||||||
# minimal dependencies here, because we don't want to rebuild
|
$(clayerxml): %.xml: $(cmodxml) $(hmodxml) $(cmetaxml)
|
||||||
# this and its dependents every time the dependencies
|
@test -d tmp || mkdir -p tmp
|
||||||
# change. Also use all .if files here, rather then just the
|
$(verbose) echo '<layer name="$(*F)">' > $@
|
||||||
# enabled modules.
|
$(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
|
||||||
$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
|
$(verbose) cat $(filter $(addprefix $(CURDIR)/, $(notdir $*))/%, $(cmodxml)) >> $@
|
||||||
@echo "Creating $@"
|
$(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
|
||||||
@mkdir -p doc
|
$(verbose) echo '</layer>' >> $@
|
||||||
|
|
||||||
|
$(hlayerxml): %.xml: $(hmodxml) $(hmetaxml)
|
||||||
|
@test -d tmp || mkdir -p tmp
|
||||||
|
$(verbose) echo '<layer name="$(*F)">' > $@
|
||||||
|
$(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
|
||||||
|
$(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
|
||||||
|
$(verbose) echo '</layer>' >> $@
|
||||||
|
|
||||||
|
$(cmodxml) $(modxml): %.xml: %.if %.te
|
||||||
|
$(verbose) $(genxml) -w -m $* > $@
|
||||||
|
|
||||||
|
$(layerxml): %.xml: $(modxml)
|
||||||
|
@test -d tmp || mkdir -p tmp
|
||||||
|
$(verbose) echo '<layer name="$(*F)">' > $@
|
||||||
|
$(verbose) if test -f '$(metaxml)'; then \
|
||||||
|
cat $(metaxml) >> $@; \
|
||||||
|
else \
|
||||||
|
echo '<summary>This is all third-party generated modules.</summary>' >> $@; \
|
||||||
|
fi
|
||||||
|
$(verbose) cat $(filter-out %/$(metaxml), $^) >> $@
|
||||||
|
$(verbose) echo '</layer>' >> $@
|
||||||
|
|
||||||
|
$(polxml): $(clayerxml) $(hlayerxml) $(layerxml) $(globaltun) $(globalbool)
|
||||||
|
@echo "Creating $(@F)"
|
||||||
|
@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
|
||||||
$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
|
$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
|
||||||
$(verbose) echo '<!DOCTYPE policy SYSTEM "$(xmldtd)">' >> $@
|
$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
|
||||||
$(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@
|
$(verbose) echo '<policy>' >> $@
|
||||||
|
$(verbose) cat $(sort $(clayerxml) $(hlayerxml) $(layerxml)) $(globaltun) $(globalbool) >> $@
|
||||||
|
$(verbose) echo '</policy>' >> $@
|
||||||
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
|
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
|
||||||
$(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\
|
$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
|
||||||
fi
|
fi
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
#!/usr/bin/python
|
#!/usr/bin/python
|
||||||
|
|
||||||
# Author: Joshua Brindle <jbrindle@tresys.com>
|
# Author: Joshua Brindle <jbrindle@tresys.com>
|
||||||
|
# Caleb Case <ccase@tresys.com>
|
||||||
#
|
#
|
||||||
# Copyright (C) 2005 - 2006 Tresys Technology, LLC
|
# Copyright (C) 2005 - 2006 Tresys Technology, LLC
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is free software; you can redistribute it and/or modify
|
||||||
@ -317,6 +318,12 @@ def gen_docs(doc, working_dir, templatedir):
|
|||||||
templatefile = open(templatedir + "/template.html", "r")
|
templatefile = open(templatedir + "/template.html", "r")
|
||||||
templatedata = templatefile.read()
|
templatedata = templatefile.read()
|
||||||
templatefile.close()
|
templatefile.close()
|
||||||
|
tunfile = open(templatedir + "/tunable.html", "r")
|
||||||
|
tundata = tunfile.read()
|
||||||
|
tunfile.close()
|
||||||
|
boolfile = open(templatedir + "/boolean.html", "r")
|
||||||
|
booldata = boolfile.read()
|
||||||
|
boolfile.close()
|
||||||
menufile = open(templatedir + "/menu.html", "r")
|
menufile = open(templatedir + "/menu.html", "r")
|
||||||
menudata = menufile.read()
|
menudata = menufile.read()
|
||||||
menufile.close()
|
menufile.close()
|
||||||
@ -332,12 +339,18 @@ def gen_docs(doc, working_dir, templatedir):
|
|||||||
templistfile = open(templatedir + "/temp_list.html", "r")
|
templistfile = open(templatedir + "/temp_list.html", "r")
|
||||||
templistdata = templistfile.read()
|
templistdata = templistfile.read()
|
||||||
templistfile.close()
|
templistfile.close()
|
||||||
boollistfile = open(templatedir + "/global_bool_list.html", "r")
|
tunlistfile = open(templatedir + "/tun_list.html", "r")
|
||||||
boollistdata = boollistfile.read()
|
|
||||||
boollistfile.close()
|
|
||||||
tunlistfile = open(templatedir + "/global_tun_list.html", "r")
|
|
||||||
tunlistdata = tunlistfile.read()
|
tunlistdata = tunlistfile.read()
|
||||||
tunlistfile.close()
|
tunlistfile.close()
|
||||||
|
boollistfile = open(templatedir + "/bool_list.html", "r")
|
||||||
|
boollistdata = boollistfile.read()
|
||||||
|
boollistfile.close()
|
||||||
|
gboollistfile = open(templatedir + "/global_bool_list.html", "r")
|
||||||
|
gboollistdata = gboollistfile.read()
|
||||||
|
gboollistfile.close()
|
||||||
|
gtunlistfile = open(templatedir + "/global_tun_list.html", "r")
|
||||||
|
gtunlistdata = gtunlistfile.read()
|
||||||
|
gtunlistfile.close()
|
||||||
except:
|
except:
|
||||||
error("Could not open templates")
|
error("Could not open templates")
|
||||||
|
|
||||||
@ -412,6 +425,8 @@ def gen_docs(doc, working_dir, templatedir):
|
|||||||
|
|
||||||
all_interfaces = []
|
all_interfaces = []
|
||||||
all_templates = []
|
all_templates = []
|
||||||
|
all_tunables = []
|
||||||
|
all_booleans = []
|
||||||
for node in doc.getElementsByTagName("module"):
|
for node in doc.getElementsByTagName("module"):
|
||||||
mod_name = mod_layer = mod_desc = interface_buf = ''
|
mod_name = mod_layer = mod_desc = interface_buf = ''
|
||||||
|
|
||||||
@ -511,6 +526,54 @@ def gen_docs(doc, working_dir, templatedir):
|
|||||||
template_tpl = pyplate.Template(templatedata)
|
template_tpl = pyplate.Template(templatedata)
|
||||||
template_buf = template_tpl.execute_string({"templates" : templates})
|
template_buf = template_tpl.execute_string({"templates" : templates})
|
||||||
|
|
||||||
|
#generate 'boolean' pages
|
||||||
|
booleans = []
|
||||||
|
for boolean in node.getElementsByTagName("bool"):
|
||||||
|
boolean_parameters = []
|
||||||
|
boolean_desc = None
|
||||||
|
boolean_name = boolean.getAttribute("name")
|
||||||
|
boolean_dftval = boolean.getAttribute("dftval")
|
||||||
|
for desc in boolean.childNodes:
|
||||||
|
if desc.nodeName == "desc":
|
||||||
|
boolean_desc = format_html_desc(desc)
|
||||||
|
|
||||||
|
booleans.append({ "bool_name" : boolean_name,
|
||||||
|
"desc" : boolean_desc,
|
||||||
|
"def_val" : boolean_dftval })
|
||||||
|
#all_booleans is for the main boolean index with all booleans
|
||||||
|
all_booleans.append({ "bool_name" : boolean_name,
|
||||||
|
"desc" : boolean_desc,
|
||||||
|
"def_val" : boolean_dftval,
|
||||||
|
"mod_name": mod_name,
|
||||||
|
"mod_layer" : mod_layer })
|
||||||
|
booleans.sort(bool_cmp)
|
||||||
|
boolean_tpl = pyplate.Template(booldata)
|
||||||
|
boolean_buf = boolean_tpl.execute_string({"booleans" : booleans})
|
||||||
|
|
||||||
|
#generate 'tunable' pages
|
||||||
|
tunables = []
|
||||||
|
for tunable in node.getElementsByTagName("tunable"):
|
||||||
|
tunable_parameters = []
|
||||||
|
tunable_desc = None
|
||||||
|
tunable_name = tunable.getAttribute("name")
|
||||||
|
tunable_dftval = tunable.getAttribute("dftval")
|
||||||
|
for desc in tunable.childNodes:
|
||||||
|
if desc.nodeName == "desc":
|
||||||
|
tunable_desc = format_html_desc(desc)
|
||||||
|
|
||||||
|
tunables.append({ "tun_name" : tunable_name,
|
||||||
|
"desc" : tunable_desc,
|
||||||
|
"def_val" : tunable_dftval })
|
||||||
|
#all_tunables is for the main tunable index with all tunables
|
||||||
|
all_tunables.append({ "tun_name" : tunable_name,
|
||||||
|
"desc" : tunable_desc,
|
||||||
|
"def_val" : tunable_dftval,
|
||||||
|
"mod_name": mod_name,
|
||||||
|
"mod_layer" : mod_layer })
|
||||||
|
tunables.sort(tun_cmp)
|
||||||
|
tunable_tpl = pyplate.Template(tundata)
|
||||||
|
tunable_buf = tunable_tpl.execute_string({"tunables" : tunables})
|
||||||
|
|
||||||
|
|
||||||
menu = gen_doc_menu(mod_layer, module_list)
|
menu = gen_doc_menu(mod_layer, module_list)
|
||||||
|
|
||||||
@ -531,6 +594,10 @@ def gen_docs(doc, working_dir, templatedir):
|
|||||||
interface_buf = None
|
interface_buf = None
|
||||||
if not template_buf.strip():
|
if not template_buf.strip():
|
||||||
template_buf = None
|
template_buf = None
|
||||||
|
if not tunable_buf.strip():
|
||||||
|
tunable_buf = None
|
||||||
|
if not boolean_buf.strip():
|
||||||
|
boolean_buf = None
|
||||||
|
|
||||||
module_args = { "mod_layer" : mod_layer,
|
module_args = { "mod_layer" : mod_layer,
|
||||||
"mod_name" : mod_name,
|
"mod_name" : mod_name,
|
||||||
@ -538,7 +605,9 @@ def gen_docs(doc, working_dir, templatedir):
|
|||||||
"mod_desc" : mod_desc,
|
"mod_desc" : mod_desc,
|
||||||
"mod_req" : mod_req,
|
"mod_req" : mod_req,
|
||||||
"interfaces" : interface_buf,
|
"interfaces" : interface_buf,
|
||||||
"templates": template_buf }
|
"templates" : template_buf,
|
||||||
|
"tunables" : tunable_buf,
|
||||||
|
"booleans" : boolean_buf }
|
||||||
|
|
||||||
module_tpl = pyplate.Template(moduledata)
|
module_tpl = pyplate.Template(moduledata)
|
||||||
module_buf = module_tpl.execute_string(module_args)
|
module_buf = module_tpl.execute_string(module_args)
|
||||||
@ -590,19 +659,19 @@ def gen_docs(doc, working_dir, templatedir):
|
|||||||
|
|
||||||
|
|
||||||
#build the global tunable index
|
#build the global tunable index
|
||||||
global_tun_buf = []
|
global_tun = []
|
||||||
for tunable in doc.getElementsByTagName("tunable"):
|
for tunable in doc.getElementsByTagName("tunable"):
|
||||||
if tunable.parentNode.nodeName == "policy":
|
if tunable.parentNode.nodeName == "policy":
|
||||||
tunable_name = tunable.getAttribute("name")
|
tunable_name = tunable.getAttribute("name")
|
||||||
default_value = tunable.getAttribute("dftval")
|
default_value = tunable.getAttribute("dftval")
|
||||||
for desc in tunable.getElementsByTagName("desc"):
|
for desc in tunable.getElementsByTagName("desc"):
|
||||||
description = format_html_desc(desc)
|
description = format_html_desc(desc)
|
||||||
global_tun_buf.append( { "tun_name" : tunable_name,
|
global_tun.append( { "tun_name" : tunable_name,
|
||||||
"def_val" : default_value,
|
"def_val" : default_value,
|
||||||
"desc" : description } )
|
"desc" : description } )
|
||||||
global_tun_buf.sort(tun_cmp)
|
global_tun.sort(tun_cmp)
|
||||||
global_tun_tpl = pyplate.Template(tunlistdata)
|
global_tun_tpl = pyplate.Template(gtunlistdata)
|
||||||
global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun_buf})
|
global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun})
|
||||||
global_tun_file = "global_tunables.html"
|
global_tun_file = "global_tunables.html"
|
||||||
global_tun_fh = open(global_tun_file, "w")
|
global_tun_fh = open(global_tun_file, "w")
|
||||||
body_tpl = pyplate.Template(bodydata)
|
body_tpl = pyplate.Template(bodydata)
|
||||||
@ -613,21 +682,35 @@ def gen_docs(doc, working_dir, templatedir):
|
|||||||
body_tpl.execute(global_tun_fh, body_args)
|
body_tpl.execute(global_tun_fh, body_args)
|
||||||
global_tun_fh.close()
|
global_tun_fh.close()
|
||||||
|
|
||||||
|
#build the tunable index
|
||||||
|
all_tunables = all_tunables + global_tun
|
||||||
|
all_tunables.sort(tun_cmp)
|
||||||
|
tunable_tpl = pyplate.Template(tunlistdata)
|
||||||
|
tunable_buf = tunable_tpl.execute_string({"tunables" : all_tunables})
|
||||||
|
temp_file = "tunables.html"
|
||||||
|
temp_fh = open(temp_file, "w")
|
||||||
|
body_tpl = pyplate.Template(bodydata)
|
||||||
|
|
||||||
|
body_args = { "menu" : menu_buf,
|
||||||
|
"content" : tunable_buf }
|
||||||
|
|
||||||
|
body_tpl.execute(temp_fh, body_args)
|
||||||
|
temp_fh.close()
|
||||||
|
|
||||||
#build the global boolean index
|
#build the global boolean index
|
||||||
global_bool_buf = []
|
global_bool = []
|
||||||
for boolean in doc.getElementsByTagName("bool"):
|
for boolean in doc.getElementsByTagName("bool"):
|
||||||
if boolean.parentNode.nodeName == "policy":
|
if boolean.parentNode.nodeName == "policy":
|
||||||
bool_name = boolean.getAttribute("name")
|
bool_name = boolean.getAttribute("name")
|
||||||
default_value = boolean.getAttribute("dftval")
|
default_value = boolean.getAttribute("dftval")
|
||||||
for desc in boolean.getElementsByTagName("desc"):
|
for desc in boolean.getElementsByTagName("desc"):
|
||||||
description = format_html_desc(desc)
|
description = format_html_desc(desc)
|
||||||
global_bool_buf.append( { "bool_name" : bool_name,
|
global_bool.append( { "bool_name" : bool_name,
|
||||||
"def_val" : default_value,
|
"def_val" : default_value,
|
||||||
"desc" : description } )
|
"desc" : description } )
|
||||||
global_bool_buf.sort(bool_cmp)
|
global_bool.sort(bool_cmp)
|
||||||
global_bool_tpl = pyplate.Template(boollistdata)
|
global_bool_tpl = pyplate.Template(gboollistdata)
|
||||||
global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool_buf})
|
global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool})
|
||||||
global_bool_file = "global_booleans.html"
|
global_bool_file = "global_booleans.html"
|
||||||
global_bool_fh = open(global_bool_file, "w")
|
global_bool_fh = open(global_bool_file, "w")
|
||||||
body_tpl = pyplate.Template(bodydata)
|
body_tpl = pyplate.Template(bodydata)
|
||||||
@ -637,6 +720,21 @@ def gen_docs(doc, working_dir, templatedir):
|
|||||||
|
|
||||||
body_tpl.execute(global_bool_fh, body_args)
|
body_tpl.execute(global_bool_fh, body_args)
|
||||||
global_bool_fh.close()
|
global_bool_fh.close()
|
||||||
|
|
||||||
|
#build the boolean index
|
||||||
|
all_booleans = all_booleans + global_bool
|
||||||
|
all_booleans.sort(bool_cmp)
|
||||||
|
boolean_tpl = pyplate.Template(boollistdata)
|
||||||
|
boolean_buf = boolean_tpl.execute_string({"booleans" : all_booleans})
|
||||||
|
temp_file = "booleans.html"
|
||||||
|
temp_fh = open(temp_file, "w")
|
||||||
|
body_tpl = pyplate.Template(bodydata)
|
||||||
|
|
||||||
|
body_args = { "menu" : menu_buf,
|
||||||
|
"content" : boolean_buf }
|
||||||
|
|
||||||
|
body_tpl.execute(temp_fh, body_args)
|
||||||
|
temp_fh.close()
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -3,6 +3,7 @@
|
|||||||
# Author(s): Donald Miner <dminer@tresys.com>
|
# Author(s): Donald Miner <dminer@tresys.com>
|
||||||
# Dave Sugar <dsugar@tresys.com>
|
# Dave Sugar <dsugar@tresys.com>
|
||||||
# Brian Williams <bwilliams@tresys.com>
|
# Brian Williams <bwilliams@tresys.com>
|
||||||
|
# Caleb Case <ccase@tresys.com>
|
||||||
#
|
#
|
||||||
# Copyright (C) 2005 - 2006 Tresys Technology, LLC
|
# Copyright (C) 2005 - 2006 Tresys Technology, LLC
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is free software; you can redistribute it and/or modify
|
||||||
@ -18,6 +19,7 @@ import sys
|
|||||||
import os
|
import os
|
||||||
import glob
|
import glob
|
||||||
import re
|
import re
|
||||||
|
import getopt
|
||||||
|
|
||||||
# GLOBALS
|
# GLOBALS
|
||||||
|
|
||||||
@ -70,9 +72,15 @@ def getModuleXML(file_name):
|
|||||||
Returns the XML data for a module in a list, one line per list item.
|
Returns the XML data for a module in a list, one line per list item.
|
||||||
'''
|
'''
|
||||||
|
|
||||||
|
# Gather information.
|
||||||
|
module_dir = os.path.dirname(file_name)
|
||||||
|
module_name = os.path.basename(file_name)
|
||||||
|
module_te = "%s/%s.te" % (module_dir, module_name)
|
||||||
|
module_if = "%s/%s.if" % (module_dir, module_name)
|
||||||
|
|
||||||
# Try to open the file, if it cant, just ignore it.
|
# Try to open the file, if it cant, just ignore it.
|
||||||
try:
|
try:
|
||||||
module_file = open(file_name, "r")
|
module_file = open(module_if, "r")
|
||||||
module_code = module_file.readlines()
|
module_code = module_file.readlines()
|
||||||
module_file.close()
|
module_file.close()
|
||||||
except:
|
except:
|
||||||
@ -83,7 +91,7 @@ def getModuleXML(file_name):
|
|||||||
|
|
||||||
# Infer the module name, which is the base of the file name.
|
# Infer the module name, which is the base of the file name.
|
||||||
module_buf.append("<module name=\"%s\" filename=\"%s\">\n"
|
module_buf.append("<module name=\"%s\" filename=\"%s\">\n"
|
||||||
% (os.path.splitext(os.path.split(file_name)[-1])[0], file_name))
|
% (os.path.splitext(os.path.split(file_name)[-1])[0], module_if))
|
||||||
|
|
||||||
temp_buf = []
|
temp_buf = []
|
||||||
interface = None
|
interface = None
|
||||||
@ -175,54 +183,13 @@ def getModuleXML(file_name):
|
|||||||
elif temp_buf:
|
elif temp_buf:
|
||||||
warning("orphan XML comments at bottom of file %s" % file_name)
|
warning("orphan XML comments at bottom of file %s" % file_name)
|
||||||
|
|
||||||
|
# Process the TE file if it exists.
|
||||||
|
module_buf = module_buf + getTunableXML(module_te, "both")
|
||||||
|
|
||||||
module_buf.append("</module>\n")
|
module_buf.append("</module>\n")
|
||||||
|
|
||||||
return module_buf
|
return module_buf
|
||||||
|
|
||||||
def getLayerXML (layerName, directories):
|
|
||||||
'''
|
|
||||||
Returns the XML documentation for a layer.
|
|
||||||
'''
|
|
||||||
|
|
||||||
layer_buf = []
|
|
||||||
|
|
||||||
# Infer the layer name from the directory name.
|
|
||||||
layer_buf.append("<layer name=\"%s\">\n" % layerName)
|
|
||||||
|
|
||||||
# Try to file the metadata file for this layer and if it exists,
|
|
||||||
# append the contents to the buffer.
|
|
||||||
bFoundMeta = False
|
|
||||||
for directory in directories:
|
|
||||||
metafile = directory + "/" + meta
|
|
||||||
|
|
||||||
if not bFoundMeta and os.path.isfile (metafile):
|
|
||||||
layer_meta = open (metafile, "r")
|
|
||||||
layer_buf += layer_meta.readlines ()
|
|
||||||
layer_meta.close()
|
|
||||||
bFoundMeta = True
|
|
||||||
|
|
||||||
# force the metadata for the third party layer
|
|
||||||
if not bFoundMeta:
|
|
||||||
if layerName == third_party:
|
|
||||||
layer_buf.append ("<summary>This is all third-party generated modules.</summary>\n")
|
|
||||||
bFoundMeta = True
|
|
||||||
|
|
||||||
# didn't find meta data for this layer - oh well
|
|
||||||
if not bFoundMeta:
|
|
||||||
layer_buf.append ("<summary>Summary is missing!.</summary>\n")
|
|
||||||
warning ("unable to find %s for layer %s" % (meta, layerName))
|
|
||||||
|
|
||||||
# For each module file in the layer, add its XML.
|
|
||||||
for directory in directories:
|
|
||||||
modules = glob.glob("%s/*.if" % directory)
|
|
||||||
modules.sort()
|
|
||||||
for module in modules:
|
|
||||||
layer_buf += getModuleXML(module)
|
|
||||||
|
|
||||||
layer_buf.append("</layer>\n")
|
|
||||||
|
|
||||||
return layer_buf
|
|
||||||
|
|
||||||
def getTunableXML(file_name, kind):
|
def getTunableXML(file_name, kind):
|
||||||
'''
|
'''
|
||||||
Return all the XML for the tunables/bools in the file specified.
|
Return all the XML for the tunables/bools in the file specified.
|
||||||
@ -257,8 +224,10 @@ def getTunableXML(file_name, kind):
|
|||||||
if boolean:
|
if boolean:
|
||||||
# If there is a gen_bool in a tunable file or a
|
# If there is a gen_bool in a tunable file or a
|
||||||
# gen_tunable in a boolean file, error and exit.
|
# gen_tunable in a boolean file, error and exit.
|
||||||
if boolean.group(1) != kind:
|
# Skip if both kinds are valid.
|
||||||
error("%s in a %s file." % (boolean.group(1), kind))
|
if kind != "both":
|
||||||
|
if boolean.group(1) != kind:
|
||||||
|
error("%s in a %s file." % (boolean.group(1), kind))
|
||||||
|
|
||||||
tunable_buf.append("<%s name=\"%s\" dftval=\"%s\">\n" % boolean.groups())
|
tunable_buf.append("<%s name=\"%s\" dftval=\"%s\">\n" % boolean.groups())
|
||||||
tunable_buf += temp_buf
|
tunable_buf += temp_buf
|
||||||
@ -341,39 +310,15 @@ def usage():
|
|||||||
Displays a message describing the proper usage of this script.
|
Displays a message describing the proper usage of this script.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
sys.stdout.write("usage: %s [-w] [-m file] "\
|
sys.stdout.write("usage: %s [-w] [-mtb] <file>\n\n" % sys.argv[0])
|
||||||
% sys.argv[0])
|
sys.stdout.write("-w --warn\t\t\tshow warnings\n"+\
|
||||||
|
"-m --module <file>\t\tname of module to process\n"+\
|
||||||
|
"-t --tunable <file>\t\tname of global tunable file to process\n"+\
|
||||||
|
"-b --boolean <file>\t\tname of global boolean file to process\n\n")
|
||||||
|
|
||||||
sys.stdout.write("layerdirectory [layerdirectory...]\n\n")
|
sys.stdout.write("examples:\n")
|
||||||
|
sys.stdout.write("> %s -w -m policy/modules/apache\n" % sys.argv[0])
|
||||||
sys.stdout.write("Options:\n")
|
sys.stdout.write("> %s -t policy/global_tunables\n" % sys.argv[0])
|
||||||
|
|
||||||
sys.stdout.write ("-h --help -- "+\
|
|
||||||
"show command line options\n")
|
|
||||||
|
|
||||||
sys.stdout.write("-w --warn -- "+\
|
|
||||||
"show warnings\n")
|
|
||||||
|
|
||||||
sys.stdout.write("-m --meta <file> -- "+\
|
|
||||||
"the filename of the metadata in each layer\n")
|
|
||||||
|
|
||||||
sys.stdout.write("-t --tunable <file> -- "+\
|
|
||||||
"A file containing tunable declarations\n")
|
|
||||||
|
|
||||||
sys.stdout.write("-b --bool <file> -- "+\
|
|
||||||
"A file containing bool declarations\n")
|
|
||||||
|
|
||||||
sys.stdout.write("-o --output-dir <directory> -- "+\
|
|
||||||
"A directory to output global_tunables.xml and global_booleans.xml\n")
|
|
||||||
|
|
||||||
sys.stdout.write("--tunables-xml <file> -- "+\
|
|
||||||
"A file containing tunable declarations already in XML format\n")
|
|
||||||
|
|
||||||
sys.stdout.write("--booleans-xml <file> -- "+\
|
|
||||||
"A file containing bool declarations already in XML format\n")
|
|
||||||
|
|
||||||
sys.stdout.write ("-3 --third-party <directory> -- "+\
|
|
||||||
"Look for 3rd Party modules in directory.\n")
|
|
||||||
|
|
||||||
def warning(description):
|
def warning(description):
|
||||||
'''
|
'''
|
||||||
@ -397,79 +342,50 @@ def error(description):
|
|||||||
|
|
||||||
|
|
||||||
# MAIN PROGRAM
|
# MAIN PROGRAM
|
||||||
|
|
||||||
|
# Defaults
|
||||||
|
warn = False
|
||||||
|
module = False
|
||||||
|
tunable = False
|
||||||
|
boolean = False
|
||||||
|
|
||||||
# Check that there are command line arguments.
|
# Check that there are command line arguments.
|
||||||
if len(sys.argv) <= 1:
|
if len(sys.argv) <= 1:
|
||||||
usage()
|
usage()
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
|
# Parse command line args
|
||||||
# Parse the command line arguments
|
try:
|
||||||
for i in range(1, len(sys.argv)):
|
opts, args = getopt.getopt(sys.argv[1:], 'whm:t:b:', ['warn', 'help', 'module=', 'tunable=', 'boolean='])
|
||||||
if sys.argv[i-1] in ("-m", "--meta",\
|
except getopt.GetoptError:
|
||||||
"-t", "--tunable", "-b", "--bool",\
|
usage()
|
||||||
"-o", "--output-dir", "-3", "--third-party", \
|
sys.exit(2)
|
||||||
"--tunables-xml", "--booleans-xml"):
|
for o, a in opts:
|
||||||
continue
|
if o in ('-w', '--warn'):
|
||||||
elif sys.argv[i] in ("-w", "--warn"):
|
|
||||||
warn = True
|
warn = True
|
||||||
elif sys.argv[i] in ("-m", "--meta"):
|
elif o in ('-h', '--help'):
|
||||||
if i < len(sys.argv)-1:
|
usage()
|
||||||
meta = sys.argv[i+1]
|
sys.exit(0)
|
||||||
else:
|
elif o in ('-m', '--module'):
|
||||||
usage()
|
module = a
|
||||||
elif sys.argv[i] in ("-t", "--tunable"):
|
break
|
||||||
if i < len(sys.argv)-1:
|
elif o in ('-t', '--tunable'):
|
||||||
tunable_files.append(sys.argv[i+1])
|
tunable = a
|
||||||
else:
|
break
|
||||||
usage()
|
elif o in ('-b', '--boolean'):
|
||||||
elif sys.argv[i] in ("-b", "--bool"):
|
boolean = a
|
||||||
if i < len(sys.argv)-1:
|
break
|
||||||
bool_files.append(sys.argv[i+1])
|
|
||||||
else:
|
|
||||||
usage()
|
|
||||||
|
|
||||||
elif sys.argv[i] == "--tunables-xml":
|
|
||||||
if i < len(sys.argv)-1:
|
|
||||||
xml_bool_files.append (sys.argv[i+1])
|
|
||||||
else:
|
|
||||||
usage ()
|
|
||||||
|
|
||||||
elif sys.argv[i] == "--booleans-xml":
|
|
||||||
if i < len(sys.argv)-1:
|
|
||||||
xml_tunable_files.append (sys.argv[i+1])
|
|
||||||
else:
|
|
||||||
usage ()
|
|
||||||
|
|
||||||
elif sys.argv[i] in ("-o", "--output-dir"):
|
|
||||||
if i < len(sys.argv)-1:
|
|
||||||
output_dir = sys.argv[i+1]
|
|
||||||
else:
|
|
||||||
usage ()
|
|
||||||
|
|
||||||
elif sys.argv[i] in ("-3", "--third-party"):
|
|
||||||
if i < len(sys.argv) -1:
|
|
||||||
if layers.has_key (third_party):
|
|
||||||
layers[third_party].append (sys.argv[i+1])
|
|
||||||
else:
|
|
||||||
layers[third_party] = [sys.argv[i+1]]
|
|
||||||
else:
|
|
||||||
usage ()
|
|
||||||
|
|
||||||
elif sys.argv[i] in ("-h", "--help"):
|
|
||||||
usage ()
|
|
||||||
sys.exit (1)
|
|
||||||
|
|
||||||
else:
|
else:
|
||||||
# store directories in hash stored by layer name
|
usage()
|
||||||
splitlayer = os.path.split(sys.argv[i])
|
sys.exit(2)
|
||||||
if layers.has_key (splitlayer[1]):
|
|
||||||
layers[splitlayer[1]].append (sys.argv[i])
|
|
||||||
else:
|
|
||||||
layers[splitlayer[1]] = [sys.argv[i]]
|
|
||||||
|
|
||||||
|
if module:
|
||||||
# Generate the XML and output it to a file
|
sys.stdout.writelines(getModuleXML(module))
|
||||||
lines = getPolicyXML()
|
elif tunable:
|
||||||
for s in lines:
|
sys.stdout.writelines(getTunableXML(tunable, "tunable"))
|
||||||
sys.stdout.write(s)
|
elif boolean:
|
||||||
|
sys.stdout.writelines(getTunableXML(boolean, "bool"))
|
||||||
|
else:
|
||||||
|
usage()
|
||||||
|
sys.exit(2)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user