- Move booleans and tunables to modules when it is only used in a single
module. - Add support for tunables and booleans local to a module.
This commit is contained in:
		
							parent
							
								
									8021cb4f63
								
							
						
					
					
						commit
						56e1b3d207
					
				| @ -1,3 +1,6 @@ | ||||
| - Move booleans and tunables to modules when it is only used in a single | ||||
|   module. | ||||
| - Add support for tunables and booleans local to a module. | ||||
| - Merge sbin_t and ls_exec_t into bin_t. | ||||
| - Remove disable_trans booleans. | ||||
| - Output different header sets for kernel and userland from flask headers. | ||||
|  | ||||
							
								
								
									
										41
									
								
								Makefile
									
									
									
									
									
								
							
							
						
						
									
										41
									
								
								Makefile
									
									
									
									
									
								
							| @ -108,7 +108,7 @@ genhomedircon := $(PYTHON) -E $(support)/genhomedircon | ||||
| # documentation paths
 | ||||
| docs := doc | ||||
| xmldtd = $(docs)/policy.dtd | ||||
| layerxml = metadata.xml | ||||
| metaxml = metadata.xml | ||||
| doctemplate = $(docs)/templates | ||||
| docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc) | ||||
| 
 | ||||
| @ -254,6 +254,10 @@ generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in | ||||
| # when a generated file is already generated
 | ||||
| detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te)) | ||||
| 
 | ||||
| modxml := $(detected_mods:.te=.xml) | ||||
| layerxml := $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers)))) | ||||
| all_metaxml := $(addsuffix /$(metaxml), $(all_layers)) | ||||
| 
 | ||||
| # modules.conf setting for base module
 | ||||
| configbase := base | ||||
| 
 | ||||
| @ -408,23 +412,36 @@ $(fcsort) : $(support)/fc_sort.c | ||||
| # Documentation generation
 | ||||
| #
 | ||||
| 
 | ||||
| # minimal dependencies here, because we don't want to rebuild 
 | ||||
| # this and its dependents every time the dependencies
 | ||||
| # change.  Also use all .if files here, rather then just the
 | ||||
| # enabled modules.
 | ||||
| xml: $(polxml) | ||||
| $(polxml): $(detected_mods:.te=.if) $(foreach dir,$(all_layers),$(dir)/$(layerxml)) | ||||
| $(modxml): %.xml: %.if %.te | ||||
| 	$(verbose) $(genxml) -w -m $* > $@ | ||||
| 
 | ||||
| $(layerxml): %.xml: $(modxml) $(all_metaxml) | ||||
| 	@test -d $(tmpdir) || mkdir -p $(tmpdir) | ||||
| 	$(verbose) echo '<layer name="$(*F)">' > $@ | ||||
| 	$(verbose) cat $(addprefix $(moddir)/, $(notdir $*))/$(metaxml) >> $@ | ||||
| 	$(verbose) cat $(filter-out $(addprefix $(moddir)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(moddir)/, $(notdir $*))/%, $(modxml))) >> $@ | ||||
| 	$(verbose) echo '</layer>' >> $@ | ||||
| 
 | ||||
| $(tunxml): $(globaltun) | ||||
| 	$(verbose) $(genxml) -w -t $< > $@ | ||||
| 
 | ||||
| $(boolxml): $(globalbool) | ||||
| 	$(verbose) $(genxml) -w -b $< > $@ | ||||
| 
 | ||||
| $(polxml): $(layerxml) $(tunxml) $(boolxml) | ||||
| 	@echo "Creating $(@F)" | ||||
| 	@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml)) | ||||
| 	@test -d $(tmpdir) || mkdir -p $(tmpdir) | ||||
| 	$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@ | ||||
| 	$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@ | ||||
| 	$(verbose) $(genxml) -w -m $(layerxml) -t $(globaltun) -b $(globalbool) -o $(docs) $(all_layers) >> $@ | ||||
| 	$(verbose) echo '<policy>' >> $@ | ||||
| 	$(verbose) cat $(layerxml) $(tunxml) $(boolxml) >> $@ | ||||
| 	$(verbose) echo '</policy>' >> $@ | ||||
| 	$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
 | ||||
| 		$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
 | ||||
| 	fi | ||||
| 
 | ||||
| $(tunxml) $(boolxml): $(polxml) | ||||
| xml: $(polxml) | ||||
| 
 | ||||
| html $(tmpdir)/html: $(polxml) | ||||
| 	@echo "Building html interface reference documentation in $(htmldir)" | ||||
| @ -517,7 +534,7 @@ $(contextpath)/users/%: $(appconf)/%_default_contexts | ||||
| #
 | ||||
| # Install policy headers
 | ||||
| #
 | ||||
| install-headers: $(tunxml) $(boolxml) | ||||
| install-headers: $(layerxml) $(tunxml) $(boolxml) | ||||
| 	@mkdir -p $(headerdir) | ||||
| 	@echo "Installing $(TYPE) policy headers." | ||||
| 	$(verbose) $(INSTALL) -m 644 $(tunxml) $(boolxml) $(headerdir) | ||||
| @ -528,7 +545,7 @@ install-headers: $(tunxml) $(boolxml) | ||||
| 	$(verbose) for i in $(notdir $(all_layers)); do \
 | ||||
| 		mkdir -p $(headerdir)/$$i ;\
 | ||||
| 		$(INSTALL) -m 644 $(moddir)/$$i/*.if \
 | ||||
| 			$(moddir)/$$i/metadata.xml \
 | ||||
| 			$(moddir)/$$i/*.xml \
 | ||||
| 			$(headerdir)/$$i ;\
 | ||||
| 	done | ||||
| 	$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf | ||||
| @ -620,6 +637,8 @@ resetlabels: | ||||
| #
 | ||||
| bare: clean | ||||
| 	rm -f $(polxml) | ||||
| 	rm -f $(layerxml) | ||||
| 	rm -f $(modxml) | ||||
| 	rm -f $(tunxml) | ||||
| 	rm -f $(boolxml) | ||||
| 	rm -f $(mod_conf) | ||||
|  | ||||
| @ -4,7 +4,7 @@ | ||||
| <!ELEMENT layer (summary,module+)> | ||||
| <!ATTLIST layer | ||||
|       name CDATA #REQUIRED> | ||||
| <!ELEMENT module (summary,desc?,required?,(interface|template)*)> | ||||
| <!ELEMENT module (summary,desc?,required?,(interface|template)*,(bool|tunable)*)> | ||||
| <!ATTLIST module  | ||||
|       name CDATA #REQUIRED | ||||
|       filename CDATA #REQUIRED> | ||||
|  | ||||
							
								
								
									
										23
									
								
								doc/templates/bool_list.html
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								doc/templates/bool_list.html
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @ -0,0 +1,23 @@ | ||||
| <h3>Master boolean index:</h3> | ||||
| 
 | ||||
| [[for bool in booleans]] | ||||
| <div id="interfacesmall"> | ||||
| [[if bool.has_key('mod_layer')]] | ||||
| Module: <a href='[[bool['mod_layer']+ "_" + bool['mod_name'] + ".html#link_" + bool['bool_name']]]'> | ||||
| [[bool['mod_name']]]</a><p/> | ||||
| Layer: <a href='[[bool['mod_layer']]].html'> | ||||
| [[bool['mod_layer']]]</a><p/> | ||||
| [[else]] | ||||
| Global | ||||
| [[end]] | ||||
| <div id="codeblock"> | ||||
| [[bool['bool_name']]] | ||||
| <small>(Default: [[bool['def_val']]])</small> | ||||
| </div> | ||||
| [[if bool['desc']]] | ||||
| <div id="description"> | ||||
| [[bool['desc']]] | ||||
| </div> | ||||
| [[end]] | ||||
| </div> | ||||
| [[end]] | ||||
							
								
								
									
										13
									
								
								doc/templates/boolean.html
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								doc/templates/boolean.html
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @ -0,0 +1,13 @@ | ||||
| [[for bool in booleans]] | ||||
| <a name="link_[[bool['bool_name']]]"></a> | ||||
| <div id="interface"> | ||||
| <div id="codeblock">[[bool['bool_name']]]</div> | ||||
| <div id="description"> | ||||
| <h5>Default value</h5> | ||||
| <p>[[bool['def_val']]]</p> | ||||
| [[if bool['desc']]] | ||||
| <h5>Description</h5> | ||||
| [[bool['desc']]] | ||||
| [[end]] | ||||
| </div></div> | ||||
| [[end]] | ||||
							
								
								
									
										4
									
								
								doc/templates/menu.html
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										4
									
								
								doc/templates/menu.html
									
									
									
									
										vendored
									
									
								
							| @ -16,6 +16,10 @@ | ||||
| 	<p/><br/><p/> | ||||
| 	<a href="index.html">* Layer Index</a> | ||||
| 	<br/><p/> | ||||
| 	<a href="booleans.html">* Boolean Index</a> | ||||
| 	<br/><p/> | ||||
| 	<a href="tunables.html">* Tunable Index</a> | ||||
| 	<br/><p/> | ||||
| 	<a href="interfaces.html">* Interface Index</a> | ||||
| 	<br/><p/> | ||||
| 	<a href="templates.html">* Template Index</a> | ||||
|  | ||||
							
								
								
									
										27
									
								
								doc/templates/module.html
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										27
									
								
								doc/templates/module.html
									
									
									
									
										vendored
									
									
								
							| @ -1,8 +1,16 @@ | ||||
| <a name="top":></a> | ||||
| <h1>Layer: [[mod_layer]]</h1><p/> | ||||
| <h2>Module: [[mod_name]]</h2><p/> | ||||
| [[if interfaces and templates]] | ||||
| [[if booleans]] | ||||
| <a href=#booleans>Booleans</a> | ||||
| [[end]] | ||||
| [[if tunables]] | ||||
| <a href=#tunables>Tunables</a> | ||||
| [[end]] | ||||
| [[if interfaces]] | ||||
| <a href=#interfaces>Interfaces</a> | ||||
| [[end]] | ||||
| [[if templates]] | ||||
| <a href=#templates>Templates</a> | ||||
| [[end]] | ||||
| <h3>Description:</h3> | ||||
| @ -14,6 +22,19 @@ | ||||
| [[if mod_req]] | ||||
| <p>This module is required to be included in all policies.</p> | ||||
| [[end]] | ||||
| <hr> | ||||
| [[if booleans]] | ||||
| <a name="booleans"></a> | ||||
| <h3>Booleans: </h3> | ||||
| [[booleans]] | ||||
| <a href=#top>Return</a> | ||||
| [[end]] | ||||
| [[if tunables]] | ||||
| <a name="tunables"></a> | ||||
| <h3>Tunables: </h3> | ||||
| [[tunables]] | ||||
| <a href=#top>Return</a> | ||||
| [[end]] | ||||
| [[if interfaces]] | ||||
| <a name="interfaces"></a> | ||||
| <h3>Interfaces: </h3> | ||||
| @ -26,6 +47,6 @@ | ||||
| [[templates]] | ||||
| <a href=#top>Return</a> | ||||
| [[end]] | ||||
| [[if not templates and not interfaces]] | ||||
| <h3>No interfaces or templates.</h3> | ||||
| [[if not templates and not interfaces and not tunables]] | ||||
| <h3>No booleans, tunables, interfaces, or templates.</h3> | ||||
| [[end]] | ||||
|  | ||||
							
								
								
									
										23
									
								
								doc/templates/tun_list.html
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								doc/templates/tun_list.html
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @ -0,0 +1,23 @@ | ||||
| <h3>Master tunable index:</h3> | ||||
| 
 | ||||
| [[for tun in tunables]] | ||||
| <div id="interfacesmall"> | ||||
| [[if tun.has_key('mod_layer')]] | ||||
| Module: <a href='[[tun['mod_layer']+ "_" + tun['mod_name'] + ".html#link_" + tun['tun_name']]]'> | ||||
| [[tun['mod_name']]]</a><p/> | ||||
| Layer: <a href='[[tun['mod_layer']]].html'> | ||||
| [[tun['mod_layer']]]</a><p/> | ||||
| [[else]] | ||||
| Global | ||||
| [[end]] | ||||
| <div id="codeblock"> | ||||
| [[tun['tun_name']]] | ||||
| <small>(Default: [[tun['def_val']]])</small> | ||||
| </div> | ||||
| [[if tun['desc']]] | ||||
| <div id="description"> | ||||
| [[tun['desc']]] | ||||
| </div> | ||||
| [[end]] | ||||
| </div> | ||||
| [[end]] | ||||
							
								
								
									
										13
									
								
								doc/templates/tunable.html
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								doc/templates/tunable.html
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @ -0,0 +1,13 @@ | ||||
| [[for tun in tunables]] | ||||
| <a name="link_[[tun['tun_name']]]"></a> | ||||
| <div id="interface"> | ||||
| <div id="codeblock">[[tun['tun_name']]]</div> | ||||
| <div id="description"> | ||||
| <h5>Default value</h5> | ||||
| <p>[[tun['def_val']]]</p> | ||||
| [[if tun['desc']]] | ||||
| <h5>Description</h5> | ||||
| [[tun['desc']]] | ||||
| [[end]] | ||||
| </div></div> | ||||
| [[end]] | ||||
| @ -9,22 +9,6 @@ | ||||
| # Common tunables | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow cvs daemon to read shadow | ||||
| ## </p> | ||||
| ## </desc> | ||||
| # | ||||
| gen_tunable(allow_cvs_read_shadow,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow zebra daemon to write it configuration files | ||||
| ## </p> | ||||
| ## </desc> | ||||
| # | ||||
| gen_tunable(allow_zebra_write_config,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow making the heap executable. | ||||
| @ -56,82 +40,6 @@ gen_tunable(allow_execmod,false) | ||||
| ## </desc> | ||||
| gen_tunable(allow_execstack,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ftp servers to modify public files | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_ftpd_anon_write,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ftp servers to login to local users and  | ||||
| ## read/write all files on the system, governed by DAC. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_ftpd_full_access,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ftp servers to use cifs | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_ftpd_use_cifs,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ftp servers to use nfs | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_ftpd_use_nfs,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow gssd to read temp directory. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_gssd_read_tmp,true) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow Apache to modify public files | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_httpd_anon_write,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow Apache to use mod_auth_pam | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_httpd_mod_auth_pam,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow java executable stack | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_java_execstack,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow system to run with kerberos | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_kerberos,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow nfs servers to modify public files | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_nfsd_anon_write,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Enable polyinstantiated directory support. | ||||
| @ -139,30 +47,6 @@ gen_tunable(allow_nfsd_anon_write,false) | ||||
| ## </desc> | ||||
| gen_tunable(allow_polyinstantiation,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow rsync to modify public files | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_rsync_anon_write,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow sasl to read shadow | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_saslauthd_read_shadow,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow samba to modify public files | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_smbd_anon_write,false) | ||||
| 
 | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow system to run with NIS | ||||
| @ -170,28 +54,6 @@ gen_tunable(allow_smbd_anon_write,false) | ||||
| ## </desc> | ||||
| gen_tunable(allow_ypbind,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Enable extra rules in the cron domain | ||||
| ## to support fcron. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(fcron_crond,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ftp to read and write files in the user home directories | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(ftp_home_dir,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ftpd to run directly without inetd | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(ftpd_is_daemon,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Enable reading of urandom for all domains. | ||||
| @ -205,85 +67,6 @@ gen_tunable(ftpd_is_daemon,false) | ||||
| ## </desc> | ||||
| gen_tunable(global_ssp,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow httpd to use built in scripting (usually php) | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_builtin_scripting,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow http daemon to tcp connect  | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_can_network_connect,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow httpd to connect to mysql/posgresql  | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_can_network_connect_db, false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow httpd to act as a relay  | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_can_network_relay, false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow httpd cgi support | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_enable_cgi,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow httpd to act as a FTP server by | ||||
| ## listening on the ftp port. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_enable_ftp_server,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow httpd to read home directories | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_enable_homedirs,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Run SSI execs in system CGI script domain. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_ssi_exec,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow http daemon to communicate with the TTY | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_tty_comm,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Run CGI in the main httpd domain | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_unified,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow BIND to write the master zone files. | ||||
| ## Generally this is used for dynamic DNS. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(named_write_master_zones,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow nfs to be exported read/write. | ||||
| @ -298,13 +81,6 @@ gen_tunable(nfs_export_all_rw,false) | ||||
| ## </desc> | ||||
| gen_tunable(nfs_export_all_ro,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow pppd to load kernel modules for certain modems | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(pppd_can_insmod,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow reading of default_t files. | ||||
| @ -312,43 +88,6 @@ gen_tunable(pppd_can_insmod,false) | ||||
| ## </desc> | ||||
| gen_tunable(read_default_t,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow samba to export user home directories. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(samba_enable_home_dirs,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow samba to export NFS volumes. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(samba_share_nfs,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow squid to connect to all ports, not just | ||||
| ## HTTP, FTP, and Gopher ports. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(squid_connect_any,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ssh logins as sysadm_r:sysadm_t | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(ssh_sysadm_login,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Configure stunnel to be a standalone daemon or | ||||
| ## inetd service. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(stunnel_is_daemon,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Support NFS home directories | ||||
| @ -363,115 +102,12 @@ gen_tunable(use_nfs_home_dirs,false) | ||||
| ## </desc> | ||||
| gen_tunable(use_samba_home_dirs,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow xdm logins as sysadm | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(xdm_sysadm_login,false) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Strict policy specific | ||||
| # | ||||
| 
 | ||||
| ifdef(`strict_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Control users use of ping and traceroute | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(user_ping,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow gpg executable stack | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_gpg_execstack,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow mplayer executable stack | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_mplayer_execstack,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow sysadm to ptrace all processes | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_ptrace,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## allow host key based authentication | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_ssh_keysign,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow users to connect to mysql | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_user_mysql_connect,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allows clients to write to the X server shared | ||||
| ## memory segments. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_write_xshm,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow cdrecord to read various content. | ||||
| ## nfs, samba, removable devices, user temp | ||||
| ## and untrusted content files | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(cdrecord_read_content,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow system cron jobs to relabel filesystem | ||||
| ## for restoring file contexts. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(cron_can_relabel,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## force to games to run in user_t | ||||
| ## mapping executable (text relocation). | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(disable_games_trans,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Disable transitions to evolution domains. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(disable_evolution_trans,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Disable transitions to user mozilla domains | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(disable_mozilla_trans,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Disable transitions to user thunderbird domains | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(disable_thunderbird_trans,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow email client to various content. | ||||
| @ -481,20 +117,6 @@ gen_tunable(disable_thunderbird_trans,false) | ||||
| ## </desc> | ||||
| gen_tunable(mail_read_content,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Control mozilla content access | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(mozilla_read_content,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow pppd to be run for a regular user | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(pppd_for_user,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow applications to read untrusted content | ||||
| @ -504,65 +126,6 @@ gen_tunable(pppd_for_user,false) | ||||
| ## </desc> | ||||
| gen_tunable(read_untrusted_content,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ssh to run from inetd instead of as a daemon. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(run_ssh_inetd,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow user spamassassin clients to use the network. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(spamassassin_can_network,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow staff_r users to search the sysadm home  | ||||
| ## dir and read files (such as ~/.bashrc) | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(staff_read_sysadm_file,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Use lpd server instead of cups | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(use_lpd_server,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow regular users direct mouse access  | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(user_direct_mouse,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow users to read system messages. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(user_dmesg,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow users to control network interfaces | ||||
| ## (also needs USERCTL=true) | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(user_net_control,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow user to r/w files on filesystems | ||||
| ## that do not have extended attributes (FAT, CDROM, FLOPPY) | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(user_rw_noexattrfile,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow users to run TCP servers (bind to ports and accept connection from | ||||
| @ -572,13 +135,6 @@ gen_tunable(user_rw_noexattrfile,false) | ||||
| ## </desc> | ||||
| gen_tunable(user_tcp_server,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow w to display everyone | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(user_ttyfile_stat,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow applications to write untrusted content | ||||
| @ -588,31 +144,3 @@ gen_tunable(user_ttyfile_stat,false) | ||||
| ## </desc> | ||||
| gen_tunable(write_untrusted_content,false) | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Targeted policy specific | ||||
| # | ||||
| 
 | ||||
| ifdef(`targeted_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow all daemons the ability to use unallocated ttys | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_daemons_use_tty,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow mount to mount any file | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_mount_anyfile,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow spamd to read/write user home directories. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(spamd_enable_home_dirs,true) | ||||
| ') | ||||
|  | ||||
| @ -1,11 +1,20 @@ | ||||
| 
 | ||||
| policy_module(netutils,1.3.0) | ||||
| policy_module(netutils,1.3.1) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ifdef(`strict_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Control users use of ping and traceroute | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(user_ping,false) | ||||
| ') | ||||
| 
 | ||||
| type netutils_t; | ||||
| type netutils_exec_t; | ||||
| init_system_domain(netutils_t,netutils_exec_t) | ||||
|  | ||||
| @ -1,10 +1,21 @@ | ||||
| 
 | ||||
| policy_module(cdrecord,1.1.0) | ||||
| policy_module(cdrecord,1.1.1) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ifdef(`strict_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow cdrecord to read various content. | ||||
| ## nfs, samba, removable devices, user temp | ||||
| ## and untrusted content files | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(cdrecord_read_content,false) | ||||
| ') | ||||
| 
 | ||||
| type cdrecord_exec_t; | ||||
| corecmd_executable_file(cdrecord_exec_t) | ||||
|  | ||||
| @ -187,7 +187,6 @@ template(`evolution_per_role_template',` | ||||
| 	corecmd_exec_shell($1_evolution_t) | ||||
| 	# Run various programs | ||||
| 	corecmd_exec_bin($1_evolution_t) | ||||
| 	corecmd_exec_bin($1_evolution_t) | ||||
| 
 | ||||
| 	corenet_non_ipsec_sendrecv($1_evolution_t) | ||||
| 	corenet_tcp_sendrecv_generic_if($1_evolution_t) | ||||
| @ -674,7 +673,8 @@ template(`evolution_per_role_template',` | ||||
| 	allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto; | ||||
| 	allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write; | ||||
| 
 | ||||
| 	allow $1_evolution_server_t $2:fd use; | ||||
| 	# Transition from user type | ||||
| 	domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t) | ||||
| 
 | ||||
| 	kernel_read_system_state($1_evolution_server_t) | ||||
| 
 | ||||
| @ -718,11 +718,6 @@ template(`evolution_per_role_template',` | ||||
| 	# until properly implemented | ||||
| 	userdom_dontaudit_read_user_home_content_files($1,$1_evolution_server_t) | ||||
| 
 | ||||
| 	# Transition from user type | ||||
| 	tunable_policy(`!disable_evolution_trans',` | ||||
| 		domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t) | ||||
| 	') | ||||
| 
 | ||||
| 	# Access evolution home | ||||
| 	tunable_policy(`use_nfs_home_dirs',` | ||||
| 		fs_manage_nfs_files($1_evolution_server_t) | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| policy_module(evolution,1.1.1) | ||||
| policy_module(evolution,1.1.2) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
|  | ||||
| @ -84,6 +84,7 @@ template(`games_per_role_template',` | ||||
| 
 | ||||
| 	can_exec($1_games_t, games_exec_t) | ||||
| 
 | ||||
| 	domain_auto_trans($2, games_exec_t, $1_games_t) | ||||
| 	allow $2 $1_games_t:unix_stream_socket connectto; | ||||
| 	allow $1_games_t $2:unix_stream_socket connectto; | ||||
| 
 | ||||
| @ -136,11 +137,6 @@ template(`games_per_role_template',` | ||||
| 	# Suppress .icons denial until properly implemented | ||||
| 	userdom_dontaudit_read_user_home_content_files($1,$1_games_t) | ||||
| 	 | ||||
| 	# Type transition | ||||
| 	tunable_policy(`!disable_games_trans',` | ||||
| 		domain_auto_trans($2, games_exec_t, $1_games_t) | ||||
| 	') | ||||
| 
 | ||||
| 	tunable_policy(`allow_execmem',` | ||||
| 		allow $1_games_t self:process execmem; | ||||
| 	') | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| policy_module(games,1.1.2) | ||||
| policy_module(games,1.1.3) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
|  | ||||
| @ -1,11 +1,18 @@ | ||||
| 
 | ||||
| policy_module(java,1.3.3) | ||||
| policy_module(java,1.3.4) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow java executable stack | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_java_execstack,false) | ||||
| 
 | ||||
| type java_t; | ||||
| type java_exec_t; | ||||
| init_system_domain(java_t,java_exec_t) | ||||
|  | ||||
| @ -105,6 +105,10 @@ template(`mozilla_per_role_template',` | ||||
| 
 | ||||
| 	allow $1_mozilla_t $2:process signull; | ||||
| 
 | ||||
| 	domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t) | ||||
| 	# Unrestricted inheritance from the caller. | ||||
| 	allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; | ||||
| 
 | ||||
| 	# Allow the user domain to signal/ps. | ||||
| 	ps_process_pattern($2,$1_mozilla_t) | ||||
| 	allow $2 $1_mozilla_t:process signal_perms; | ||||
| @ -207,13 +211,6 @@ template(`mozilla_per_role_template',` | ||||
| 		fs_manage_cifs_symlinks($1_mozilla_t) | ||||
| 	') | ||||
| 
 | ||||
| 	# Type transition | ||||
| 	tunable_policy(`! disable_mozilla_trans',` | ||||
| 		domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t) | ||||
| 		# Unrestricted inheritance from the caller. | ||||
| 		allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; | ||||
| 	') | ||||
| 
 | ||||
| 	# Uploads, local html | ||||
| 	tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` | ||||
| 		fs_list_auto_mountpoints($1_mozilla_t) | ||||
|  | ||||
| @ -1,11 +1,20 @@ | ||||
| 
 | ||||
| policy_module(mozilla,1.1.1) | ||||
| policy_module(mozilla,1.1.2) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ifdef(`strict_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Control mozilla content access | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(mozilla_read_content,false) | ||||
| ') | ||||
| 
 | ||||
| type mozilla_conf_t; | ||||
| files_config_file(mozilla_conf_t) | ||||
| 
 | ||||
|  | ||||
| @ -1,11 +1,20 @@ | ||||
| 
 | ||||
| policy_module(mplayer,1.1.1) | ||||
| policy_module(mplayer,1.1.2) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ifdef(`strict_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow mplayer executable stack | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_mplayer_execstack,false) | ||||
| ') | ||||
| 
 | ||||
| type mplayer_etc_t; | ||||
| files_config_file(mplayer_etc_t) | ||||
| 
 | ||||
|  | ||||
| @ -77,6 +77,7 @@ template(`thunderbird_per_role_template',` | ||||
| 	manage_sock_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t) | ||||
| 	fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) | ||||
| 
 | ||||
| 	domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t) | ||||
| 	allow $2 $1_thunderbird_t:fd use; | ||||
| 	allow $2 $1_thunderbird_t:shm { associate getattr }; | ||||
| 	allow $2 $1_thunderbird_t:unix_stream_socket connectto; | ||||
| @ -166,11 +167,6 @@ template(`thunderbird_per_role_template',` | ||||
| 	xserver_read_xdm_tmp_files($1_thunderbird_t) | ||||
| 	xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t) | ||||
| 
 | ||||
| 	# Transition from user type | ||||
| 	tunable_policy(`! disable_thunderbird_trans',` | ||||
| 		domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t) | ||||
| 	') | ||||
| 
 | ||||
| 	# Access ~/.thunderbird | ||||
| 	tunable_policy(`use_nfs_home_dirs',` | ||||
| 		fs_manage_nfs_dirs($1_thunderbird_t) | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| policy_module(thunderbird,1.1.1) | ||||
| policy_module(thunderbird,1.1.2) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
|  | ||||
| @ -1,11 +1,21 @@ | ||||
| 
 | ||||
| policy_module(usernetctl,1.0.0) | ||||
| policy_module(usernetctl,1.0.1) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ifdef(`strict_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow users to control network interfaces | ||||
| ## (also needs USERCTL=true) | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(user_net_control,false) | ||||
| ') | ||||
| 
 | ||||
| type usernetctl_t; | ||||
| type usernetctl_exec_t; | ||||
| domain_type(usernetctl_t) | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| policy_module(apache,1.5.4) | ||||
| policy_module(apache,1.5.5) | ||||
| 
 | ||||
| # | ||||
| # NOTES:  | ||||
| @ -20,6 +20,92 @@ policy_module(apache,1.5.4) | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow Apache to modify public files | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_httpd_anon_write,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow Apache to use mod_auth_pam | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_httpd_mod_auth_pam,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow httpd to use built in scripting (usually php) | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_builtin_scripting,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow http daemon to tcp connect | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_can_network_connect,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow httpd to connect to mysql/posgresql | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_can_network_connect_db, false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow httpd to act as a relay | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_can_network_relay, false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow httpd cgi support | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_enable_cgi,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow httpd to act as a FTP server by | ||||
| ## listening on the ftp port. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_enable_ftp_server,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow httpd to read home directories | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_enable_homedirs,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Run SSI execs in system CGI script domain. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_ssi_exec,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow http daemon to communicate with the TTY | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_tty_comm,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Run CGI in the main httpd domain | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(httpd_unified,false) | ||||
| 
 | ||||
| attribute httpdcontent; | ||||
| 
 | ||||
| # domains that can exec all users scripts | ||||
| @ -507,13 +593,7 @@ allow httpd_suexec_t self:process signal_perms; | ||||
| allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; | ||||
| allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms; | ||||
| 
 | ||||
| ifdef(`targeted_policy',` | ||||
| 	gen_tunable(httpd_suexec_disable_trans,false) | ||||
| 
 | ||||
| 	tunable_policy(`httpd_suexec_disable_trans',`',` | ||||
| 		domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) | ||||
| 	') | ||||
| ') | ||||
| domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) | ||||
| 
 | ||||
| create_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t) | ||||
| append_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t) | ||||
|  | ||||
| @ -1,11 +1,19 @@ | ||||
| 
 | ||||
| policy_module(bind,1.3.1) | ||||
| policy_module(bind,1.3.2) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow BIND to write the master zone files. | ||||
| ## Generally this is used for dynamic DNS. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(named_write_master_zones,false) | ||||
| 
 | ||||
| # for DNSSEC key files | ||||
| type dnssec_t; | ||||
| files_security_file(dnssec_t) | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| policy_module(cron,1.5.1) | ||||
| policy_module(cron,1.5.2) | ||||
| 
 | ||||
| gen_require(` | ||||
| 	class passwd rootok; | ||||
| @ -9,6 +9,23 @@ gen_require(` | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow system cron jobs to relabel filesystem | ||||
| ## for restoring file contexts. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(cron_can_relabel,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Enable extra rules in the cron domain | ||||
| ## to support fcron. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(fcron_crond,false) | ||||
| 
 | ||||
| attribute cron_spool_type; | ||||
| 
 | ||||
| type anacron_exec_t; | ||||
|  | ||||
| @ -1,11 +1,18 @@ | ||||
| 
 | ||||
| policy_module(cvs,1.3.0) | ||||
| policy_module(cvs,1.3.1) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow cvs daemon to read shadow | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_cvs_read_shadow,false) | ||||
| 
 | ||||
| type cvs_t; | ||||
| type cvs_exec_t; | ||||
| inetd_tcp_service_domain(cvs_t,cvs_exec_t) | ||||
|  | ||||
| @ -28,13 +28,11 @@ template(`ftp_per_role_template',` | ||||
| 		type ftpd_t; | ||||
| 	') | ||||
| 
 | ||||
| 	tunable_policy(`ftpd_is_daemon',` | ||||
| 		userdom_manage_user_home_content_files($1,ftpd_t) | ||||
| 		userdom_manage_user_home_content_symlinks($1,ftpd_t) | ||||
| 		userdom_manage_user_home_content_sockets($1,ftpd_t) | ||||
| 		userdom_manage_user_home_content_pipes($1,ftpd_t) | ||||
| 		userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file }) | ||||
| 	') | ||||
| 	userdom_manage_user_home_content_files($1,ftpd_t) | ||||
| 	userdom_manage_user_home_content_symlinks($1,ftpd_t) | ||||
| 	userdom_manage_user_home_content_sockets($1,ftpd_t) | ||||
| 	userdom_manage_user_home_content_pipes($1,ftpd_t) | ||||
| 	userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file }) | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
|  | ||||
| @ -1,11 +1,50 @@ | ||||
| 
 | ||||
| policy_module(ftp,1.4.3) | ||||
| policy_module(ftp,1.4.4) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ftp servers to modify public files | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_ftpd_anon_write,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ftp servers to login to local users and  | ||||
| ## read/write all files on the system, governed by DAC. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_ftpd_full_access,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ftp servers to use cifs | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_ftpd_use_cifs,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ftp servers to use nfs | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_ftpd_use_nfs,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ftp to read and write files in the user home directories | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(ftp_home_dir,false) | ||||
| 
 | ||||
| type ftpd_t; | ||||
| type ftpd_exec_t; | ||||
| init_daemon_domain(ftpd_t,ftpd_exec_t) | ||||
| @ -13,7 +52,6 @@ init_daemon_domain(ftpd_t,ftpd_exec_t) | ||||
| type ftpd_etc_t; | ||||
| files_config_file(ftpd_etc_t) | ||||
| 
 | ||||
| # ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally | ||||
| type ftpd_lock_t; | ||||
| files_lock_file(ftpd_lock_t) | ||||
| 
 | ||||
| @ -53,6 +91,9 @@ allow ftpd_t self:udp_socket create_socket_perms; | ||||
| 
 | ||||
| allow ftpd_t ftpd_etc_t:file read_file_perms; | ||||
| 
 | ||||
| allow ftpd_t ftpd_lock_t:file manage_file_perms; | ||||
| files_lock_filetrans(ftpd_t,ftpd_lock_t,file) | ||||
| 
 | ||||
| manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t) | ||||
| manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t) | ||||
| files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) | ||||
| @ -198,13 +239,6 @@ tunable_policy(`ftp_home_dir && use_samba_home_dirs',` | ||||
| 	fs_read_cifs_symlinks(ftpd_t) | ||||
| ') | ||||
| 
 | ||||
| tunable_policy(`ftpd_is_daemon',` | ||||
| 	allow ftpd_t ftpd_lock_t:file manage_file_perms; | ||||
| 	files_lock_filetrans(ftpd_t,ftpd_lock_t,file) | ||||
| 
 | ||||
| 	corenet_tcp_bind_ftp_port(ftpd_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(` | ||||
| 	tunable_policy(`ftp_home_dir',` | ||||
| 		apache_search_sys_content(ftpd_t) | ||||
| @ -232,17 +266,10 @@ optional_policy(` | ||||
| ') | ||||
| 
 | ||||
| optional_policy(` | ||||
| 	#reh: typeattributes not allowed in conditionals yet. | ||||
| 	#tunable_policy(`! ftpd_is_daemon',` | ||||
| 	#	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) | ||||
| 	#') | ||||
| 
 | ||||
| 	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) | ||||
| 
 | ||||
| 	optional_policy(` | ||||
| 		tunable_policy(`! ftpd_is_daemon',` | ||||
| 			tcpd_domtrans(tcpd_t) | ||||
| 		') | ||||
| 		tcpd_domtrans(tcpd_t) | ||||
| 	') | ||||
| ') | ||||
| 
 | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| policy_module(inetd,1.2.3) | ||||
| policy_module(inetd,1.2.4) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| @ -227,13 +227,6 @@ ifdef(`targeted_policy',` | ||||
| 	unconfined_domain(inetd_child_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(` | ||||
| 	tunable_policy(`ftpd_is_daemon',` | ||||
| 		# Allows it to check exec privs on daemon | ||||
| 		ftp_check_exec(inetd_t) | ||||
| 	') | ||||
| ') | ||||
| 
 | ||||
| optional_policy(` | ||||
| 	kerberos_use(inetd_child_t) | ||||
| ') | ||||
|  | ||||
| @ -1,11 +1,18 @@ | ||||
| 
 | ||||
| policy_module(kerberos,1.3.3) | ||||
| policy_module(kerberos,1.3.4) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow system to run with kerberos | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_kerberos,false) | ||||
| 
 | ||||
| type kadmind_t; | ||||
| type kadmind_exec_t; | ||||
| init_daemon_domain(kadmind_t,kadmind_exec_t) | ||||
|  | ||||
| @ -1,11 +1,18 @@ | ||||
| 
 | ||||
| policy_module(lpd,1.4.2) | ||||
| policy_module(lpd,1.4.3) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Use lpd server instead of cups | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(use_lpd_server,false) | ||||
| 
 | ||||
| type checkpc_t; | ||||
| type checkpc_exec_t; | ||||
| init_system_domain(checkpc_t,checkpc_exec_t) | ||||
|  | ||||
| @ -1,11 +1,27 @@ | ||||
| 
 | ||||
| policy_module(ppp,1.3.1) | ||||
| policy_module(ppp,1.3.2) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow pppd to load kernel modules for certain modems | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(pppd_can_insmod,false) | ||||
| 
 | ||||
| ifdef(`strict_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow pppd to be run for a regular user | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(pppd_for_user,false) | ||||
| ') | ||||
| 
 | ||||
| # pppd_t is the domain for the pppd program. | ||||
| # pppd_exec_t is the type of the pppd executable. | ||||
| type pppd_t; | ||||
| @ -172,20 +188,6 @@ ifdef(`targeted_policy', ` | ||||
| 	term_dontaudit_use_unallocated_ttys(pppd_t) | ||||
| 	term_dontaudit_use_generic_ptys(pppd_t) | ||||
| 	files_dontaudit_read_root_files(pppd_t) | ||||
| 
 | ||||
| 	optional_policy(` | ||||
| 		gen_require(` | ||||
| 			bool postfix_disable_trans; | ||||
| 		') | ||||
| 
 | ||||
| 		if(!postfix_disable_trans) { | ||||
| 			postfix_domtrans_master(pppd_t) | ||||
| 		} | ||||
| 	') | ||||
| ',` | ||||
| 	optional_policy(` | ||||
| 		postfix_domtrans_master(pppd_t) | ||||
| 	') | ||||
| ') | ||||
| 
 | ||||
| optional_policy(` | ||||
| @ -210,6 +212,10 @@ optional_policy(` | ||||
| 	nscd_socket_use(pppd_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(` | ||||
| 	postfix_domtrans_master(pppd_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(` | ||||
| 	seutil_sigchld_newrole(pppd_t) | ||||
| ') | ||||
|  | ||||
| @ -1,11 +1,26 @@ | ||||
| 
 | ||||
| policy_module(rpc,1.4.3) | ||||
| policy_module(rpc,1.4.4) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow gssd to read temp directory. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_gssd_read_tmp,true) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow nfs servers to modify public files | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_nfsd_anon_write,false) | ||||
| 
 | ||||
| type exports_t; | ||||
| files_type(exports_t) | ||||
| 
 | ||||
|  | ||||
| @ -1,11 +1,19 @@ | ||||
| 
 | ||||
| policy_module(rsync,1.3.1) | ||||
| policy_module(rsync,1.3.2) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow rsync to modify public files | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_rsync_anon_write,false) | ||||
| 
 | ||||
| type rsync_t; | ||||
| type rsync_exec_t; | ||||
| init_daemon_domain(rsync_t,rsync_exec_t) | ||||
|  | ||||
| @ -1,11 +1,33 @@ | ||||
| 
 | ||||
| policy_module(samba,1.4.2) | ||||
| policy_module(samba,1.4.3) | ||||
| 
 | ||||
| ################################# | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow samba to modify public files | ||||
| ## used for public file transfer services. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_smbd_anon_write,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow samba to export user home directories. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(samba_enable_home_dirs,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow samba to export NFS volumes. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(samba_share_nfs,false) | ||||
| 
 | ||||
| type nmbd_t; | ||||
| type nmbd_exec_t; | ||||
| init_daemon_domain(nmbd_t,nmbd_exec_t) | ||||
|  | ||||
| @ -1,11 +1,18 @@ | ||||
| 
 | ||||
| policy_module(sasl,1.4.1) | ||||
| policy_module(sasl,1.4.2) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow sasl to read shadow | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_saslauthd_read_shadow,false) | ||||
| 
 | ||||
| type saslauthd_t; | ||||
| type saslauthd_exec_t; | ||||
| init_daemon_domain(saslauthd_t,saslauthd_exec_t) | ||||
|  | ||||
| @ -1,11 +1,29 @@ | ||||
| 
 | ||||
| policy_module(spamassassin,1.5.5) | ||||
| policy_module(spamassassin,1.5.6) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ifdef(`strict_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow user spamassassin clients to use the network. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(spamassassin_can_network,false) | ||||
| ') | ||||
| 
 | ||||
| ifdef(`targeted_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow spamd to read/write user home directories. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(spamd_enable_home_dirs,true) | ||||
| ') | ||||
| 
 | ||||
| # spamassassin client executable | ||||
| type spamc_exec_t; | ||||
| corecmd_executable_file(spamc_exec_t) | ||||
|  | ||||
| @ -1,11 +1,19 @@ | ||||
| 
 | ||||
| policy_module(squid,1.2.1) | ||||
| policy_module(squid,1.2.2) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow squid to connect to all ports, not just | ||||
| ## HTTP, FTP, and Gopher ports. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(squid_connect_any,false) | ||||
| 
 | ||||
| type squid_t; | ||||
| type squid_exec_t; | ||||
| init_daemon_domain(squid_t,squid_exec_t) | ||||
|  | ||||
| @ -476,6 +476,7 @@ template(`ssh_server_template', ` | ||||
| 	corenet_non_ipsec_sendrecv($1_t) | ||||
| 	corenet_tcp_bind_all_nodes($1_t) | ||||
| 	corenet_udp_bind_all_nodes($1_t) | ||||
| 	corenet_tcp_bind_ssh_port($1_t) | ||||
| 	corenet_tcp_connect_all_ports($1_t) | ||||
| 	corenet_sendrecv_ssh_server_packets($1_t) | ||||
| 
 | ||||
| @ -517,25 +518,6 @@ template(`ssh_server_template', ` | ||||
| 		fs_read_cifs_files($1_t) | ||||
| 	') | ||||
| 
 | ||||
| 	# cjp: commenting out until typeattribute works in conditional | ||||
| 	# and require block in optional else is resolved | ||||
| 	#optional_policy(` | ||||
| 	#	tunable_policy(`run_ssh_inetd',` | ||||
| 	#		allow $1_t self:process signal; | ||||
| 	#		files_list_pids($1_t) | ||||
| 	#	',` | ||||
| 	#		corenet_tcp_bind_ssh_port($1_t) | ||||
| 	#		init_use_fds($1_t) | ||||
| 	#		init_use_script_ptys($1_t) | ||||
| 	#	') | ||||
| 	#',` | ||||
| 		# These rules should match the else block | ||||
| 		# of the run_ssh_inetd tunable directly above | ||||
| 		corenet_tcp_bind_ssh_port($1_t) | ||||
| 		init_use_fds($1_t) | ||||
| 		init_use_script_ptys($1_t) | ||||
| 	#') | ||||
| 
 | ||||
| 	optional_policy(` | ||||
| 		kerberos_use($1_t) | ||||
| 	') | ||||
|  | ||||
| @ -1,11 +1,25 @@ | ||||
| 
 | ||||
| policy_module(ssh,1.5.1) | ||||
| policy_module(ssh,1.5.2) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## allow host key based authentication | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_ssh_keysign,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow ssh logins as sysadm_r:sysadm_t | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(ssh_sysadm_login,false) | ||||
| 
 | ||||
| attribute ssh_server; | ||||
| 
 | ||||
| # Type for the ssh-agent executable. | ||||
| @ -140,6 +154,8 @@ tunable_policy(`ssh_sysadm_login',` | ||||
| 
 | ||||
| ifdef(`strict_policy',` | ||||
| 	ifdef(`TODO',` | ||||
| 	domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) | ||||
| 
 | ||||
| 	domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain) | ||||
| 	# Signal the user domains. | ||||
| 	allow sshd_extern_t user_mini_domain:process signal; | ||||
| @ -159,15 +175,7 @@ ifdef(`strict_policy',` | ||||
| 	allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms; | ||||
| 
 | ||||
| 	optional_policy(` | ||||
| 		tunable_policy(`run_ssh_inetd',` | ||||
| 			domain_trans(inetd_t, sshd_exec_t, sshd_extern_t) | ||||
| 		',` | ||||
| 			domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) | ||||
| 		') | ||||
| 	',` | ||||
| 		# These rules should match the else block | ||||
| 		# of the run_ssh_inetd tunable directly above | ||||
| 		domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) | ||||
| 		domain_trans(inetd_t, sshd_exec_t, sshd_extern_t) | ||||
| 	') | ||||
| 
 | ||||
| 	ifdef(`direct_sysadm_daemon', ` | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| policy_module(stunnel,1.2.1) | ||||
| policy_module(stunnel,1.2.2) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| @ -127,13 +127,9 @@ ifdef(`distro_gentoo', ` | ||||
| 	') | ||||
| ') | ||||
| 
 | ||||
| tunable_policy(`stunnel_is_daemon',` | ||||
| 	allow stunnel_t self:tcp_socket create_stream_socket_perms; | ||||
| 
 | ||||
| 	# hack since this port has no interfaces since it doesnt | ||||
| 	# have net_contexts | ||||
| 	gen_require(` | ||||
| 		type stunnel_port_t; | ||||
| 	') | ||||
| 	allow stunnel_t stunnel_port_t:tcp_socket name_bind; | ||||
| # hack since this port has no interfaces since it doesnt | ||||
| # have net_contexts | ||||
| gen_require(` | ||||
| 	type stunnel_port_t; | ||||
| ') | ||||
| allow stunnel_t stunnel_port_t:tcp_socket name_bind; | ||||
|  | ||||
| @ -1,11 +1,28 @@ | ||||
| 
 | ||||
| policy_module(xserver,1.3.3) | ||||
| policy_module(xserver,1.3.4) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ifdef(`strict_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allows clients to write to the X server shared | ||||
| ## memory segments. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_write_xshm,false) | ||||
| ') | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow xdm logins as sysadm | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(xdm_sysadm_login,false) | ||||
| 
 | ||||
| attribute fonts_type; | ||||
| attribute fonts_cache_type; | ||||
| attribute fonts_config_type; | ||||
|  | ||||
| @ -1,11 +1,19 @@ | ||||
| 
 | ||||
| policy_module(zebra,1.3.1) | ||||
| policy_module(zebra,1.3.2) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow zebra daemon to write it configuration files | ||||
| ## </p> | ||||
| ## </desc> | ||||
| # | ||||
| gen_tunable(allow_zebra_write_config,false) | ||||
| 
 | ||||
| type zebra_t; | ||||
| type zebra_exec_t; | ||||
| init_daemon_domain(zebra_t,zebra_exec_t) | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| policy_module(init,1.5.4) | ||||
| policy_module(init,1.5.5) | ||||
| 
 | ||||
| gen_require(` | ||||
| 	class passwd rootok; | ||||
| @ -10,6 +10,15 @@ gen_require(` | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ifdef(`targeted_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow all daemons the ability to use unallocated ttys | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_daemons_use_tty,false) | ||||
| ') | ||||
| 
 | ||||
| # used for direct running of init scripts | ||||
| # by admin domains | ||||
| attribute direct_run_init; | ||||
|  | ||||
| @ -1,11 +1,20 @@ | ||||
| 
 | ||||
| policy_module(mount,1.5.0) | ||||
| policy_module(mount,1.5.1) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ifdef(`targeted_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow mount to mount any file | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_mount_anyfile,false) | ||||
| ') | ||||
| 
 | ||||
| type mount_t; | ||||
| type mount_exec_t; | ||||
| init_system_domain(mount_t,mount_exec_t) | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| policy_module(userdomain,2.1.2) | ||||
| policy_module(userdomain,2.1.3) | ||||
| 
 | ||||
| gen_require(` | ||||
| 	role sysadm_r, staff_r, user_r; | ||||
| @ -15,6 +15,51 @@ gen_require(` | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ifdef(`strict_policy',` | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow sysadm to ptrace all processes | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_ptrace,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow users to connect to mysql | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(allow_user_mysql_connect,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow regular users direct mouse access | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(user_direct_mouse,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow users to read system messages. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(user_dmesg,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow user to r/w files on filesystems | ||||
| ## that do not have extended attributes (FAT, CDROM, FLOPPY) | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(user_rw_noexattrfile,false) | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ## Allow w to display everyone | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(user_ttyfile_stat,false) | ||||
| ') | ||||
| 
 | ||||
| # admin users terminals (tty and pty) | ||||
| attribute admin_terminal; | ||||
| 
 | ||||
|  | ||||
| @ -33,7 +33,7 @@ genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py | ||||
| docs = doc | ||||
| polxml = $(docs)/policy.xml | ||||
| xmldtd = $(HEADERDIR)/support/policy.dtd | ||||
| layerxml = metadata.xml | ||||
| metaxml = metadata.xml | ||||
| 
 | ||||
| globaltun = $(HEADERDIR)/global_tunables.xml | ||||
| globalbool = $(HEADERDIR)/global_booleans.xml | ||||
| @ -84,26 +84,41 @@ M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$ | ||||
| 
 | ||||
| # policy headers
 | ||||
| m4support = $(wildcard $(HEADERDIR)/support/*.spt) | ||||
| 
 | ||||
| all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d)) | ||||
| all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if)) | ||||
| rolemap = $(HEADERDIR)/rolemap | ||||
| 
 | ||||
| detected_layers =  $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d)) | ||||
| 
 | ||||
| clayers = $(addprefix $(CURDIR)/, $(filter $(notdir $(detected_layers)), $(notdir $(all_layers)))) | ||||
| all_layers_subset = $(addprefix $(HEADERDIR)/, $(filter-out $(notdir $(detected_layers)), $(notdir $(all_layers)))) | ||||
| detected_layers_subset = $(addprefix $(CURDIR)/, $(filter-out $(notdir $(clayers)), $(notdir $(detected_layers)))) | ||||
| 
 | ||||
| 3rd_party_mods = $(wildcard *.te) | ||||
| detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te)) | ||||
| detected_mods_subset = $(3rd_party_mods) $(foreach layer,$(detected_layers_subset),$(wildcard $(layer)/*.te)) | ||||
| 
 | ||||
| detected_ifs = $(detected_mods:.te=.if) | ||||
| detected_fcs = $(detected_mods:.te=.fc) | ||||
| all_packages = $(notdir $(detected_mods:.te=.pp)) | ||||
| 
 | ||||
| modxml = $(addprefix $(CURDIR)/, $(detected_mods_subset:.te=.xml)) | ||||
| layerxml = $(addprefix tmp/, $(notdir $(addsuffix .xml, $(detected_layers_subset) $(CURDIR)))) | ||||
| 
 | ||||
| hmodxml = $(all_interfaces:.if=.xml) | ||||
| hlayerxml = $(addsuffix .xml, $(addprefix tmp/, $(notdir $(all_layers_subset)))) | ||||
| hmetaxml = $(foreach layer, $(all_layers_subset), $(layer)/$(metaxml)) | ||||
| 
 | ||||
| cmods = $(foreach layer, $(clayers), $(wildcard $(layer)/*.te)) | ||||
| cmodxml = $(cmods:.te=.xml) | ||||
| clayerxml= $(addsuffix .xml, $(addprefix tmp/, $(notdir $(clayers)))) | ||||
| cmetaxml = $(foreach layer, $(notdir $(clayers)), $(HEADERDIR)/$(layer)/$(metaxml)) | ||||
| 
 | ||||
| vpath %.te $(detected_layers) | ||||
| vpath %.if $(detected_layers) | ||||
| vpath %.fc $(detected_layers) | ||||
| 
 | ||||
| # if there are modules in the current directory, add them into the third party layer
 | ||||
| ifneq "$(3rd_party_mods)" "" | ||||
|         genxml += -3 . | ||||
| endif | ||||
| 
 | ||||
| ########################################
 | ||||
| #
 | ||||
| # Functions
 | ||||
| @ -197,18 +212,45 @@ $(detected_ifs) $(detected_fcs): | ||||
| # Documentation generation
 | ||||
| #
 | ||||
| 
 | ||||
| # minimal dependencies here, because we don't want to rebuild
 | ||||
| # this and its dependents every time the dependencies
 | ||||
| # change.  Also use all .if files here, rather then just the
 | ||||
| # enabled modules.
 | ||||
| $(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml)) | ||||
| 	@echo "Creating $@" | ||||
| 	@mkdir -p doc | ||||
| $(clayerxml): %.xml: $(cmodxml) $(hmodxml) $(cmetaxml) | ||||
| 	@test -d tmp || mkdir -p tmp | ||||
| 	$(verbose) echo '<layer name="$(*F)">' > $@ | ||||
| 	$(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@; | ||||
| 	$(verbose) cat $(filter $(addprefix $(CURDIR)/, $(notdir $*))/%, $(cmodxml)) >> $@ | ||||
| 	$(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@ | ||||
| 	$(verbose) echo '</layer>' >> $@ | ||||
| 
 | ||||
| $(hlayerxml): %.xml: $(hmodxml) $(hmetaxml) | ||||
| 	@test -d tmp || mkdir -p tmp | ||||
| 	$(verbose) echo '<layer name="$(*F)">' > $@ | ||||
| 	$(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@; | ||||
| 	$(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@ | ||||
| 	$(verbose) echo '</layer>' >> $@ | ||||
| 
 | ||||
| $(cmodxml) $(modxml): %.xml: %.if %.te | ||||
| 	$(verbose) $(genxml) -w -m $* > $@ | ||||
| 
 | ||||
| $(layerxml): %.xml: $(modxml) | ||||
| 	@test -d tmp || mkdir -p tmp | ||||
| 	$(verbose) echo '<layer name="$(*F)">' > $@ | ||||
| 	$(verbose) if test -f '$(metaxml)'; then \
 | ||||
| 		cat $(metaxml) >> $@; \
 | ||||
| 	else \
 | ||||
| 		echo '<summary>This is all third-party generated modules.</summary>' >> $@; \
 | ||||
| 	fi | ||||
| 	$(verbose) cat $(filter-out %/$(metaxml), $^) >> $@ | ||||
| 	$(verbose) echo '</layer>' >> $@ | ||||
| 
 | ||||
| $(polxml): $(clayerxml) $(hlayerxml) $(layerxml) $(globaltun) $(globalbool) | ||||
| 	@echo "Creating $(@F)" | ||||
| 	@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml)) | ||||
| 	$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@ | ||||
| 	$(verbose) echo '<!DOCTYPE policy SYSTEM "$(xmldtd)">' >> $@ | ||||
| 	$(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@ | ||||
| 	$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@ | ||||
| 	$(verbose) echo '<policy>' >> $@ | ||||
| 	$(verbose) cat $(sort $(clayerxml) $(hlayerxml) $(layerxml)) $(globaltun) $(globalbool) >> $@ | ||||
| 	$(verbose) echo '</policy>' >> $@ | ||||
| 	$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
 | ||||
| 		$(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\
 | ||||
| 		$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
 | ||||
| 	fi | ||||
| 
 | ||||
| ########################################
 | ||||
|  | ||||
| @ -1,6 +1,7 @@ | ||||
| #!/usr/bin/python | ||||
| 
 | ||||
| #  Author: Joshua Brindle <jbrindle@tresys.com> | ||||
| #          Caleb Case <ccase@tresys.com> | ||||
| # | ||||
| # Copyright (C) 2005 - 2006 Tresys Technology, LLC | ||||
| #      This program is free software; you can redistribute it and/or modify | ||||
| @ -317,6 +318,12 @@ def gen_docs(doc, working_dir, templatedir): | ||||
| 		templatefile = open(templatedir + "/template.html", "r") | ||||
| 		templatedata = templatefile.read() | ||||
| 		templatefile.close() | ||||
| 		tunfile = open(templatedir + "/tunable.html", "r") | ||||
| 		tundata = tunfile.read() | ||||
| 		tunfile.close() | ||||
| 		boolfile = open(templatedir + "/boolean.html", "r") | ||||
| 		booldata = boolfile.read() | ||||
| 		boolfile.close() | ||||
| 		menufile = open(templatedir + "/menu.html", "r") | ||||
| 		menudata = menufile.read() | ||||
| 		menufile.close() | ||||
| @ -332,12 +339,18 @@ def gen_docs(doc, working_dir, templatedir): | ||||
| 		templistfile = open(templatedir + "/temp_list.html", "r") | ||||
| 		templistdata = templistfile.read() | ||||
| 		templistfile.close() | ||||
| 		boollistfile = open(templatedir + "/global_bool_list.html", "r") | ||||
| 		boollistdata = boollistfile.read() | ||||
| 		boollistfile.close() | ||||
| 		tunlistfile = open(templatedir + "/global_tun_list.html", "r") | ||||
| 		tunlistfile = open(templatedir + "/tun_list.html", "r") | ||||
| 		tunlistdata = tunlistfile.read() | ||||
| 		tunlistfile.close() | ||||
| 		boollistfile = open(templatedir + "/bool_list.html", "r") | ||||
| 		boollistdata = boollistfile.read() | ||||
| 		boollistfile.close() | ||||
| 		gboollistfile = open(templatedir + "/global_bool_list.html", "r") | ||||
| 		gboollistdata = gboollistfile.read() | ||||
| 		gboollistfile.close() | ||||
| 		gtunlistfile = open(templatedir + "/global_tun_list.html", "r") | ||||
| 		gtunlistdata = gtunlistfile.read() | ||||
| 		gtunlistfile.close() | ||||
| 	except: | ||||
| 		error("Could not open templates") | ||||
| 
 | ||||
| @ -412,6 +425,8 @@ def gen_docs(doc, working_dir, templatedir): | ||||
| 
 | ||||
| 	all_interfaces = [] | ||||
| 	all_templates = [] | ||||
| 	all_tunables = [] | ||||
| 	all_booleans = [] | ||||
| 	for node in doc.getElementsByTagName("module"): | ||||
|                 mod_name = mod_layer = mod_desc = interface_buf = '' | ||||
| 
 | ||||
| @ -511,6 +526,54 @@ def gen_docs(doc, working_dir, templatedir): | ||||
| 		template_tpl = pyplate.Template(templatedata) | ||||
| 		template_buf = template_tpl.execute_string({"templates" : templates}) | ||||
| 
 | ||||
| 		#generate 'boolean' pages | ||||
| 		booleans = [] | ||||
| 		for boolean in node.getElementsByTagName("bool"): | ||||
| 			boolean_parameters = [] | ||||
| 			boolean_desc = None | ||||
| 			boolean_name = boolean.getAttribute("name") | ||||
| 			boolean_dftval = boolean.getAttribute("dftval") | ||||
| 			for desc in boolean.childNodes: | ||||
| 				if desc.nodeName == "desc": | ||||
| 					boolean_desc = format_html_desc(desc) | ||||
| 
 | ||||
| 			booleans.append({ "bool_name" : boolean_name, | ||||
| 					  "desc" : boolean_desc, | ||||
| 					  "def_val" : boolean_dftval }) | ||||
| 			#all_booleans is for the main boolean index with all booleans | ||||
| 			all_booleans.append({ "bool_name" : boolean_name, | ||||
| 					   "desc" : boolean_desc, | ||||
| 					   "def_val" : boolean_dftval, | ||||
| 					   "mod_name": mod_name, | ||||
| 					   "mod_layer" : mod_layer }) | ||||
| 		booleans.sort(bool_cmp) | ||||
| 		boolean_tpl = pyplate.Template(booldata) | ||||
| 		boolean_buf = boolean_tpl.execute_string({"booleans" : booleans}) | ||||
| 
 | ||||
| 		#generate 'tunable' pages | ||||
| 		tunables = [] | ||||
| 		for tunable in node.getElementsByTagName("tunable"): | ||||
| 			tunable_parameters = [] | ||||
| 			tunable_desc = None | ||||
| 			tunable_name = tunable.getAttribute("name") | ||||
| 			tunable_dftval = tunable.getAttribute("dftval") | ||||
| 			for desc in tunable.childNodes: | ||||
| 				if desc.nodeName == "desc": | ||||
| 					tunable_desc = format_html_desc(desc) | ||||
| 
 | ||||
| 			tunables.append({ "tun_name" : tunable_name, | ||||
| 					  "desc" : tunable_desc, | ||||
| 					  "def_val" : tunable_dftval }) | ||||
| 			#all_tunables is for the main tunable index with all tunables | ||||
| 			all_tunables.append({ "tun_name" : tunable_name, | ||||
| 					   "desc" : tunable_desc, | ||||
| 					   "def_val" : tunable_dftval, | ||||
| 					   "mod_name": mod_name, | ||||
| 					   "mod_layer" : mod_layer }) | ||||
| 		tunables.sort(tun_cmp) | ||||
| 		tunable_tpl = pyplate.Template(tundata) | ||||
| 		tunable_buf = tunable_tpl.execute_string({"tunables" : tunables}) | ||||
| 	 | ||||
| 
 | ||||
| 		menu = gen_doc_menu(mod_layer, module_list) | ||||
| 
 | ||||
| @ -531,6 +594,10 @@ def gen_docs(doc, working_dir, templatedir): | ||||
| 			interface_buf = None | ||||
| 		if not template_buf.strip(): | ||||
| 			template_buf = None | ||||
| 		if not tunable_buf.strip(): | ||||
| 			tunable_buf = None | ||||
| 		if not boolean_buf.strip(): | ||||
| 			boolean_buf = None | ||||
| 
 | ||||
| 		module_args = { "mod_layer" : mod_layer, | ||||
| 			      "mod_name" : mod_name,	 | ||||
| @ -538,7 +605,9 @@ def gen_docs(doc, working_dir, templatedir): | ||||
| 			      "mod_desc" : mod_desc, | ||||
| 			      "mod_req" : mod_req, | ||||
| 			      "interfaces" : interface_buf, | ||||
| 			      "templates": template_buf } | ||||
| 			      "templates" : template_buf, | ||||
| 			      "tunables" : tunable_buf, | ||||
| 			      "booleans" : boolean_buf } | ||||
| 
 | ||||
| 		module_tpl = pyplate.Template(moduledata) | ||||
| 		module_buf = module_tpl.execute_string(module_args) | ||||
| @ -590,19 +659,19 @@ def gen_docs(doc, working_dir, templatedir): | ||||
| 
 | ||||
| 
 | ||||
| 	#build the global tunable index | ||||
| 	global_tun_buf = [] | ||||
| 	global_tun = [] | ||||
| 	for tunable in doc.getElementsByTagName("tunable"): | ||||
| 		if tunable.parentNode.nodeName == "policy": | ||||
| 			tunable_name = tunable.getAttribute("name") | ||||
| 			default_value = tunable.getAttribute("dftval") | ||||
| 			for desc in tunable.getElementsByTagName("desc"): | ||||
| 				description = format_html_desc(desc) | ||||
| 			global_tun_buf.append( { "tun_name" : tunable_name, | ||||
| 			global_tun.append( { "tun_name" : tunable_name, | ||||
| 						"def_val" : default_value, | ||||
| 						"desc" : description } ) | ||||
| 	global_tun_buf.sort(tun_cmp) | ||||
| 	global_tun_tpl = pyplate.Template(tunlistdata) | ||||
| 	global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun_buf}) | ||||
| 	global_tun.sort(tun_cmp) | ||||
| 	global_tun_tpl = pyplate.Template(gtunlistdata) | ||||
| 	global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun}) | ||||
| 	global_tun_file = "global_tunables.html" | ||||
| 	global_tun_fh = open(global_tun_file, "w") | ||||
| 	body_tpl = pyplate.Template(bodydata) | ||||
| @ -613,21 +682,35 @@ def gen_docs(doc, working_dir, templatedir): | ||||
| 	body_tpl.execute(global_tun_fh, body_args) | ||||
| 	global_tun_fh.close() | ||||
| 
 | ||||
| 	#build the tunable index | ||||
| 	all_tunables = all_tunables + global_tun | ||||
| 	all_tunables.sort(tun_cmp) | ||||
| 	tunable_tpl = pyplate.Template(tunlistdata) | ||||
| 	tunable_buf = tunable_tpl.execute_string({"tunables" : all_tunables}) | ||||
| 	temp_file = "tunables.html" | ||||
| 	temp_fh = open(temp_file, "w") | ||||
| 	body_tpl = pyplate.Template(bodydata) | ||||
| 
 | ||||
| 	body_args = { "menu" : menu_buf,  | ||||
| 		      "content" : tunable_buf } | ||||
| 
 | ||||
| 	body_tpl.execute(temp_fh, body_args) | ||||
| 	temp_fh.close() | ||||
| 
 | ||||
| 	#build the global boolean index | ||||
| 	global_bool_buf = [] | ||||
| 	global_bool = [] | ||||
| 	for boolean in doc.getElementsByTagName("bool"): | ||||
| 		if boolean.parentNode.nodeName == "policy": | ||||
| 			bool_name = boolean.getAttribute("name") | ||||
| 			default_value = boolean.getAttribute("dftval") | ||||
| 			for desc in boolean.getElementsByTagName("desc"): | ||||
| 				description = format_html_desc(desc) | ||||
| 			global_bool_buf.append( { "bool_name" : bool_name, | ||||
| 			global_bool.append( { "bool_name" : bool_name, | ||||
| 						"def_val" : default_value, | ||||
| 						"desc" : description } ) | ||||
| 	global_bool_buf.sort(bool_cmp) | ||||
| 	global_bool_tpl = pyplate.Template(boollistdata) | ||||
| 	global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool_buf}) | ||||
| 	global_bool.sort(bool_cmp) | ||||
| 	global_bool_tpl = pyplate.Template(gboollistdata) | ||||
| 	global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool}) | ||||
| 	global_bool_file = "global_booleans.html" | ||||
| 	global_bool_fh = open(global_bool_file, "w") | ||||
| 	body_tpl = pyplate.Template(bodydata) | ||||
| @ -638,6 +721,21 @@ def gen_docs(doc, working_dir, templatedir): | ||||
| 	body_tpl.execute(global_bool_fh, body_args) | ||||
| 	global_bool_fh.close() | ||||
| 	 | ||||
| 	#build the boolean index | ||||
| 	all_booleans = all_booleans + global_bool | ||||
| 	all_booleans.sort(bool_cmp) | ||||
| 	boolean_tpl = pyplate.Template(boollistdata) | ||||
| 	boolean_buf = boolean_tpl.execute_string({"booleans" : all_booleans}) | ||||
| 	temp_file = "booleans.html" | ||||
| 	temp_fh = open(temp_file, "w") | ||||
| 	body_tpl = pyplate.Template(bodydata) | ||||
| 
 | ||||
| 	body_args = { "menu" : menu_buf,  | ||||
| 		      "content" : boolean_buf } | ||||
| 
 | ||||
| 	body_tpl.execute(temp_fh, body_args) | ||||
| 	temp_fh.close() | ||||
| 
 | ||||
| 
 | ||||
| 
 | ||||
| def error(error): | ||||
|  | ||||
| @ -3,6 +3,7 @@ | ||||
| #  Author(s): Donald Miner <dminer@tresys.com> | ||||
| #             Dave Sugar <dsugar@tresys.com> | ||||
| #             Brian Williams <bwilliams@tresys.com> | ||||
| #             Caleb Case <ccase@tresys.com> | ||||
| # | ||||
| # Copyright (C) 2005 - 2006 Tresys Technology, LLC | ||||
| #      This program is free software; you can redistribute it and/or modify | ||||
| @ -18,6 +19,7 @@ import sys | ||||
| import os | ||||
| import glob | ||||
| import re | ||||
| import getopt | ||||
| 
 | ||||
| # GLOBALS | ||||
| 
 | ||||
| @ -70,9 +72,15 @@ def getModuleXML(file_name): | ||||
| 	Returns the XML data for a module in a list, one line per list item. | ||||
| 	''' | ||||
| 
 | ||||
| 	# Gather information. | ||||
| 	module_dir = os.path.dirname(file_name) | ||||
| 	module_name = os.path.basename(file_name) | ||||
| 	module_te = "%s/%s.te" % (module_dir, module_name) | ||||
| 	module_if = "%s/%s.if" % (module_dir, module_name) | ||||
| 
 | ||||
| 	# Try to open the file, if it cant, just ignore it. | ||||
| 	try: | ||||
| 		module_file = open(file_name, "r") | ||||
| 		module_file = open(module_if, "r") | ||||
| 		module_code = module_file.readlines() | ||||
| 		module_file.close() | ||||
| 	except: | ||||
| @ -83,7 +91,7 @@ def getModuleXML(file_name): | ||||
| 
 | ||||
| 	# Infer the module name, which is the base of the file name. | ||||
| 	module_buf.append("<module name=\"%s\" filename=\"%s\">\n"  | ||||
| 		% (os.path.splitext(os.path.split(file_name)[-1])[0], file_name)) | ||||
| 		% (os.path.splitext(os.path.split(file_name)[-1])[0], module_if)) | ||||
| 
 | ||||
| 	temp_buf = [] | ||||
| 	interface = None | ||||
| @ -175,54 +183,13 @@ def getModuleXML(file_name): | ||||
| 	elif temp_buf: | ||||
| 		warning("orphan XML comments at bottom of file %s" % file_name) | ||||
| 
 | ||||
| 	# Process the TE file if it exists. | ||||
| 	module_buf = module_buf + getTunableXML(module_te, "both") | ||||
| 
 | ||||
| 	module_buf.append("</module>\n") | ||||
| 
 | ||||
| 	return module_buf | ||||
| 
 | ||||
| def getLayerXML (layerName, directories): | ||||
| 	''' | ||||
| 	Returns the XML documentation for a layer. | ||||
| 	''' | ||||
| 
 | ||||
| 	layer_buf = [] | ||||
| 
 | ||||
| 	# Infer the layer name from the directory name. | ||||
| 	layer_buf.append("<layer name=\"%s\">\n" % layerName) | ||||
| 
 | ||||
| 	# Try to file the metadata file for this layer and if it exists, | ||||
| 	# append the contents to the buffer. | ||||
| 	bFoundMeta = False | ||||
| 	for directory in directories: | ||||
| 		metafile = directory + "/" + meta | ||||
| 
 | ||||
| 		if not bFoundMeta and os.path.isfile (metafile): | ||||
| 			layer_meta = open (metafile, "r") | ||||
| 			layer_buf += layer_meta.readlines () | ||||
| 			layer_meta.close() | ||||
| 			bFoundMeta = True | ||||
| 
 | ||||
| 	# force the metadata for the third party layer | ||||
| 	if not bFoundMeta: | ||||
| 		if layerName == third_party: | ||||
| 			layer_buf.append ("<summary>This is all third-party generated modules.</summary>\n") | ||||
| 			bFoundMeta = True | ||||
| 
 | ||||
| 	# didn't find meta data for this layer - oh well	 | ||||
| 	if not bFoundMeta: | ||||
| 		layer_buf.append ("<summary>Summary is missing!.</summary>\n") | ||||
| 		warning ("unable to find %s for layer %s" % (meta, layerName))	 | ||||
| 	 | ||||
| 	# For each module file in the layer, add its XML. | ||||
| 	for directory in directories: | ||||
| 		modules = glob.glob("%s/*.if" % directory) | ||||
| 		modules.sort() | ||||
| 		for module in modules: | ||||
| 			layer_buf += getModuleXML(module) | ||||
| 
 | ||||
| 	layer_buf.append("</layer>\n") | ||||
| 
 | ||||
| 	return layer_buf | ||||
| 
 | ||||
| def getTunableXML(file_name, kind): | ||||
| 	''' | ||||
| 	Return all the XML for the tunables/bools in the file specified. | ||||
| @ -257,8 +224,10 @@ def getTunableXML(file_name, kind): | ||||
| 		if boolean: | ||||
| 			# If there is a gen_bool in a tunable file or a | ||||
| 			# gen_tunable in a boolean file, error and exit. | ||||
| 			if boolean.group(1) != kind: | ||||
| 				error("%s in a %s file." % (boolean.group(1), kind)) | ||||
| 			# Skip if both kinds are valid. | ||||
| 			if kind != "both": | ||||
| 				if boolean.group(1) != kind: | ||||
| 					error("%s in a %s file." % (boolean.group(1), kind)) | ||||
| 
 | ||||
| 			tunable_buf.append("<%s name=\"%s\" dftval=\"%s\">\n" % boolean.groups()) | ||||
| 			tunable_buf += temp_buf | ||||
| @ -341,39 +310,15 @@ def usage(): | ||||
| 	Displays a message describing the proper usage of this script. | ||||
| 	""" | ||||
| 
 | ||||
| 	sys.stdout.write("usage: %s [-w] [-m file] "\ | ||||
| 		% sys.argv[0]) | ||||
| 	sys.stdout.write("usage: %s [-w] [-mtb] <file>\n\n" % sys.argv[0]) | ||||
| 	sys.stdout.write("-w --warn\t\t\tshow warnings\n"+\ | ||||
| 	"-m --module <file>\t\tname of module to process\n"+\ | ||||
| 	"-t --tunable <file>\t\tname of global tunable file to process\n"+\ | ||||
| 	"-b --boolean <file>\t\tname of global boolean file to process\n\n") | ||||
| 
 | ||||
| 	sys.stdout.write("layerdirectory [layerdirectory...]\n\n") | ||||
| 
 | ||||
| 	sys.stdout.write("Options:\n") | ||||
| 
 | ||||
| 	sys.stdout.write ("-h --help                      -- "+\ | ||||
| 				"show command line options\n") | ||||
| 
 | ||||
| 	sys.stdout.write("-w --warn                      -- "+\ | ||||
| 				"show warnings\n") | ||||
| 
 | ||||
| 	sys.stdout.write("-m --meta <file>               -- "+\ | ||||
| 				"the filename of the metadata in each layer\n") | ||||
| 
 | ||||
| 	sys.stdout.write("-t --tunable <file>            -- "+\ | ||||
| 				"A file containing tunable declarations\n") | ||||
| 
 | ||||
| 	sys.stdout.write("-b --bool <file>               -- "+\ | ||||
| 				"A file containing bool declarations\n") | ||||
| 												    | ||||
| 	sys.stdout.write("-o --output-dir <directory>    -- "+\ | ||||
| 				"A directory to output global_tunables.xml and global_booleans.xml\n") | ||||
| 
 | ||||
| 	sys.stdout.write("--tunables-xml <file>          -- "+\ | ||||
| 				"A file containing tunable declarations already in XML format\n") | ||||
| 
 | ||||
| 	sys.stdout.write("--booleans-xml <file>          -- "+\ | ||||
| 				"A file containing bool declarations already in XML format\n") | ||||
| 				 | ||||
| 	sys.stdout.write ("-3 --third-party <directory>   -- "+\ | ||||
| 				"Look for 3rd Party modules in directory.\n") | ||||
| 	sys.stdout.write("examples:\n") | ||||
| 	sys.stdout.write("> %s -w -m policy/modules/apache\n" % sys.argv[0]) | ||||
| 	sys.stdout.write("> %s -t policy/global_tunables\n" % sys.argv[0]) | ||||
| 
 | ||||
| def warning(description): | ||||
| 	''' | ||||
| @ -397,79 +342,50 @@ def error(description): | ||||
| 
 | ||||
| 
 | ||||
| # MAIN PROGRAM | ||||
| 
 | ||||
| # Defaults | ||||
| warn = False | ||||
| module = False | ||||
| tunable = False | ||||
| boolean = False | ||||
| 
 | ||||
| # Check that there are command line arguments. | ||||
| if len(sys.argv) <= 1: | ||||
| 	usage() | ||||
| 	sys.exit(1) | ||||
| 
 | ||||
| 
 | ||||
| # Parse the command line arguments | ||||
| for i in range(1, len(sys.argv)): | ||||
| 	if sys.argv[i-1] in ("-m", "--meta",\ | ||||
| 					"-t", "--tunable", "-b", "--bool",\ | ||||
| 					"-o", "--output-dir", "-3", "--third-party", \ | ||||
| 					"--tunables-xml", "--booleans-xml"): | ||||
| 		continue | ||||
| 	elif sys.argv[i] in ("-w", "--warn"): | ||||
| # Parse command line args | ||||
| try: | ||||
| 	opts, args = getopt.getopt(sys.argv[1:], 'whm:t:b:', ['warn', 'help', 'module=', 'tunable=', 'boolean=']) | ||||
| except getopt.GetoptError: | ||||
| 	usage() | ||||
| 	sys.exit(2) | ||||
| for o, a in opts: | ||||
| 	if o in ('-w', '--warn'): | ||||
| 		warn = True | ||||
| 	elif sys.argv[i] in ("-m", "--meta"): | ||||
| 		if i < len(sys.argv)-1: | ||||
| 			meta = sys.argv[i+1] | ||||
| 		else: | ||||
| 			usage() | ||||
| 	elif sys.argv[i] in ("-t", "--tunable"): | ||||
| 		if i < len(sys.argv)-1: | ||||
| 			tunable_files.append(sys.argv[i+1]) | ||||
| 		else: | ||||
| 			usage() | ||||
| 	elif sys.argv[i] in ("-b", "--bool"): | ||||
| 		if i < len(sys.argv)-1: | ||||
| 			bool_files.append(sys.argv[i+1]) | ||||
| 		else: | ||||
| 			usage() | ||||
| 	 | ||||
| 	elif sys.argv[i] == "--tunables-xml": | ||||
| 		if i < len(sys.argv)-1: | ||||
| 			xml_bool_files.append (sys.argv[i+1]) | ||||
| 		else: | ||||
| 			usage () | ||||
| 			 | ||||
| 	elif sys.argv[i] == "--booleans-xml": | ||||
| 		if i < len(sys.argv)-1: | ||||
| 			xml_tunable_files.append (sys.argv[i+1]) | ||||
| 		else: | ||||
| 			usage () | ||||
| 			 | ||||
| 	elif sys.argv[i] in ("-o", "--output-dir"): | ||||
| 		if i < len(sys.argv)-1: | ||||
| 			output_dir = sys.argv[i+1] | ||||
| 		else: | ||||
| 			usage () | ||||
| 			 | ||||
| 	elif sys.argv[i] in ("-3", "--third-party"): | ||||
| 		if i < len(sys.argv) -1: | ||||
| 			if layers.has_key (third_party): | ||||
| 				layers[third_party].append (sys.argv[i+1]) | ||||
| 			else: | ||||
| 				layers[third_party] = [sys.argv[i+1]] | ||||
| 		else: | ||||
| 			usage () | ||||
| 
 | ||||
| 	elif sys.argv[i] in ("-h", "--help"): | ||||
| 		usage () | ||||
| 		sys.exit (1) | ||||
| 
 | ||||
| 	elif o in ('-h', '--help'): | ||||
| 		usage() | ||||
| 		sys.exit(0) | ||||
| 	elif o in ('-m', '--module'): | ||||
| 		module = a | ||||
| 		break | ||||
| 	elif o in ('-t', '--tunable'): | ||||
| 		tunable = a | ||||
| 		break | ||||
| 	elif o in ('-b', '--boolean'): | ||||
| 		boolean = a | ||||
| 		break | ||||
| 	else: | ||||
| 		# store directories in hash stored by layer name | ||||
| 		splitlayer = os.path.split(sys.argv[i]) | ||||
| 		if layers.has_key (splitlayer[1]): | ||||
| 			layers[splitlayer[1]].append (sys.argv[i]) | ||||
| 		else: | ||||
| 			layers[splitlayer[1]] = [sys.argv[i]] | ||||
| 		usage() | ||||
| 		sys.exit(2) | ||||
| 
 | ||||
| 
 | ||||
| # Generate the XML and output it to a file | ||||
| lines = getPolicyXML() | ||||
| for s in lines: | ||||
| 	sys.stdout.write(s) | ||||
| if module: | ||||
| 	sys.stdout.writelines(getModuleXML(module)) | ||||
| elif tunable: | ||||
| 	sys.stdout.writelines(getTunableXML(tunable, "tunable")) | ||||
| elif boolean: | ||||
| 	sys.stdout.writelines(getTunableXML(boolean, "bool")) | ||||
| else: | ||||
| 	usage() | ||||
| 	sys.exit(2) | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user