trunk: 10 patches from dan.

This commit is contained in:
Chris PeBenito 2008-11-11 16:38:34 +00:00
parent 27337d8c21
commit 5843d066b6
25 changed files with 306 additions and 28 deletions

View File

@ -64,8 +64,8 @@ interface(`aide_admin',`
ps_process_pattern($1, aide_t)
files_list_etc($1)
manage_files_pattern($1, aide_db_t, aide_db_t)
admin_pattern($1, aide_db_t)
logging_list_logs($1)
manage_files_pattern($1, aide_log_t, aide_log_t)
admin_pattern($1, aide_log_t)
')

View File

@ -1,5 +1,5 @@
policy_module(aide, 1.4.1)
policy_module(aide, 1.4.2)
########################################
#

View File

@ -1,3 +1,4 @@
/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
#
# /usr

View File

@ -90,3 +90,45 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
dontaudit $1 arpwatch_t:packet_socket { read write };
')
########################################
## <summary>
## All of the rules required to administrate
## an arpwatch environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the arpwatch domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`arpwatch_admin',`
gen_require(`
type arpwatch_t, arpwatch_tmp_t;
type arpwatch_data_t, arpwatch_var_run_t;
type arpwatch_initrc_exec_t;
')
allow $1 arpwatch_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, arpwatch_t)
init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, arpwatch_tmp_t)
files_list_var($1)
admin_pattern($1, arpwatch_data_t)
files_list_pids($1)
admin_pattern($1, arpwatch_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(arpwatch, 1.6.1)
policy_module(arpwatch, 1.6.2)
########################################
#
@ -13,6 +13,9 @@ init_daemon_domain(arpwatch_t, arpwatch_exec_t)
type arpwatch_data_t;
files_type(arpwatch_data_t)
type arpwatch_initrc_exec_t;
init_script_file(arpwatch_initrc_exec_t)
type arpwatch_tmp_t;
files_tmp_file(arpwatch_tmp_t)

View File

@ -1,4 +1,5 @@
/etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0)
/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0)
/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0)

View File

@ -1 +1,53 @@
## <summary>Asterisk IP telephony server</summary>
########################################
## <summary>
## All of the rules required to administrate
## an asterisk environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the asterisk domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`asterisk_admin',`
gen_require(`
type asterisk_t, asterisk_var_run_t, asterisk_spool_t;
type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
type asterisk_var_lib_t;
type asterisk_initrc_exec_t;
')
allow $1 asterisk_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, asterisk_t)
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, asterisk_tmp_t)
files_list_etc($1)
admin_pattern($1, asterisk_etc_t)
logging_list_logs($1)
admin_pattern($1, asterisk_log_t)
files_list_spool($1)
admin_pattern($1, asterisk_spool_t)
files_list_var_lib($1)
admin_pattern($1, asterisk_var_lib_t)
files_list_pids($1)
admin_pattern($1, asterisk_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(asterisk, 1.5.1)
policy_module(asterisk, 1.5.2)
########################################
#
@ -13,6 +13,9 @@ init_daemon_domain(asterisk_t, asterisk_exec_t)
type asterisk_etc_t;
files_config_file(asterisk_etc_t)
type asterisk_initrc_exec_t;
init_script_file(asterisk_initrc_exec_t)
type asterisk_log_t;
logging_log_file(asterisk_log_t)

View File

@ -1,4 +1,4 @@
/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)

View File

@ -261,19 +261,18 @@ interface(`bind_udp_chat_named',`
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal.
## The role to be allowed to manage the bind domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`bind_admin',`
gen_require(`
type named_t, ndc_t;
type named_t, named_tmp_t, named_log_t;
type named_conf_t, named_var_run_t;
type named_cache_t, named_zone_t;
type dnssec_t, ndc_t;
type named_initrc_exec_t;
')
allow $1 named_t:process { ptrace signal_perms };
@ -282,5 +281,25 @@ interface(`bind_admin',`
allow $1 ndc_t:process { ptrace signal_perms };
ps_process_pattern($1, ndc_t)
bind_run_ndc($1, $2, $3)
bind_run_ndc($1, $2)
domain_system_change_exemption($1)
role_transition $2 named_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, named_tmp_t)
logging_list_logs($1)
admin_pattern($1, named_log_t)
files_list_etc($1)
admin_pattern($1, named_conf_t)
admin_pattern($1, named_cache_t)
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
files_list_pids($1)
admin_pattern($1, named_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(bind, 1.8.1)
policy_module(bind, 1.8.2)
########################################
#
@ -242,6 +242,8 @@ sysnet_dns_name_resolve(ndc_t)
userdom_use_user_terminals(ndc_t)
term_dontaudit_use_console(ndc_t)
# for /etc/rndc.key
ifdef(`distro_redhat',`
allow ndc_t named_conf_t:dir search;

View File

@ -1,6 +1,8 @@
/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(inetd, 1.8.1)
policy_module(inetd, 1.8.2)
########################################
#
@ -136,6 +136,7 @@ corecmd_read_bin_symlinks(inetd_t)
domain_use_interactive_fds(inetd_t)
files_read_etc_files(inetd_t)
files_read_etc_runtime_files(inetd_t)
logging_send_syslog_msg(inetd_t)
@ -219,6 +220,7 @@ dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
files_read_etc_files(inetd_child_t)
files_read_etc_runtime_files(inetd_child_t)
auth_use_nsswitch(inetd_child_t)

View File

@ -22,11 +22,14 @@
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
#
# /var
#
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(lpd, 1.10.1)
policy_module(lpd, 1.10.2)
########################################
#

View File

@ -1,5 +1,7 @@
/etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0)
/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0)
/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
@ -7,3 +9,5 @@
/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)

View File

@ -12,10 +12,70 @@
#
interface(`postgrey_stream_connect',`
gen_require(`
type postgrey_var_run_t, postgrey_t;
type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
')
allow $1 postgrey_t:unix_stream_socket connectto;
allow $1 postgrey_var_run_t:sock_file write;
stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
files_search_pids($1)
')
########################################
## <summary>
## Search the spool directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`postgrey_search_spool',`
gen_require(`
type postgrey_spool_t;
')
allow $1 postgrey_spool_t:dir search_dir_perms;
')
########################################
## <summary>
## All of the rules required to administrate
## an postgrey environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the postgrey domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`postgrey_admin',`
gen_require(`
type postgrey_t, postgrey_etc_t;
type postgrey_var_lib_t, postgrey_var_run_t;
type postgrey_initrc_exec_t;
')
allow $1 postgrey_t:process { ptrace signal_perms };
ps_process_pattern($1, postgrey_t)
init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 postgrey_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, postgrey_etc_t)
files_list_var_lib($1)
admin_pattern($1, postgrey_var_lib_t)
files_list_pids($1)
admin_pattern($1, postgrey_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(postgrey, 1.5.1)
policy_module(postgrey, 1.5.2)
########################################
#
@ -13,6 +13,12 @@ init_daemon_domain(postgrey_t, postgrey_exec_t)
type postgrey_etc_t;
files_config_file(postgrey_etc_t)
type postgrey_initrc_exec_t;
init_script_file(postgrey_initrc_exec_t)
type postgrey_spool_t;
files_type(postgrey_spool_t)
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
@ -24,15 +30,21 @@ files_pid_file(postgrey_var_run_t)
# Local policy
#
allow postgrey_t self:capability { chown setgid setuid };
allow postgrey_t self:capability { chown dac_override setgid setuid };
dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:tcp_socket create_stream_socket_perms;
allow postgrey_t self:fifo_file create_fifo_file_perms;
allow postgrey_t postgrey_etc_t:dir list_dir_perms;
read_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
read_lnk_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
@ -81,6 +93,10 @@ optional_policy(`
nis_use_ypbind(postgrey_t)
')
optional_policy(`
postfix_read_config(postgrey_t)
')
optional_policy(`
seutil_sigchld_newrole(postgrey_t)
')

View File

@ -1,5 +1,7 @@
/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
/etc/privoxy/default\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0)
/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)

View File

@ -10,23 +10,34 @@
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`privoxy_admin',`
gen_require(`
type privoxy_t, privoxy_log_t;
type privoxy_etc_rw_t, privoxy_var_run_t;
type privoxy_initrc_exec_t;
')
allow $1 privoxy_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, privoxy_t)
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 privoxy_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
manage_files_pattern($1, privoxy_log_t, privoxy_log_t)
admin_pattern($1, privoxy_log_t)
files_list_etc($1)
manage_files_pattern($1, privoxy_etc_rw_t, privoxy_etc_rw_t)
admin_pattern($1, privoxy_etc_rw_t)
files_list_pids($1)
manage_files_pattern($1, privoxy_var_run_t, privoxy_var_run_t)
admin_pattern($1, privoxy_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(privoxy, 1.7.1)
policy_module(privoxy, 1.7.2)
########################################
#
@ -10,6 +10,9 @@ type privoxy_t; # web_client_domain
type privoxy_exec_t;
init_daemon_domain(privoxy_t, privoxy_exec_t)
type privoxy_initrc_exec_t;
init_script_file(privoxy_initrc_exec_t)
type privoxy_etc_rw_t;
files_type(privoxy_etc_rw_t)
@ -50,6 +53,7 @@ corenet_tcp_bind_http_cache_port(privoxy_t)
corenet_tcp_connect_http_port(privoxy_t)
corenet_tcp_connect_http_cache_port(privoxy_t)
corenet_tcp_connect_ftp_port(privoxy_t)
corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
corenet_tcp_connect_tor_port(privoxy_t)
corenet_sendrecv_http_cache_client_packets(privoxy_t)
corenet_sendrecv_http_cache_server_packets(privoxy_t)

View File

@ -1,5 +1,5 @@
policy_module(qmail, 1.4.1)
policy_module(qmail, 1.4.2)
########################################
#
@ -121,6 +121,10 @@ mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
optional_policy(`
spamassassin_domtrans_client(qmail_local_t)
')
########################################
#
# qmail-lspawn local policy
@ -251,6 +255,10 @@ optional_policy(`
daemontools_ipc_domain(qmail_smtpd_t)
')
optional_policy(`
kerberos_keytab_template(qmail, qmail_smtpd_t)
')
optional_policy(`
ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
')

View File

@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_initrc_exec_t,s0)
#
# /usr
#

View File

@ -1 +1,39 @@
## <summary>Roundup Issue Tracking System policy</summary>
########################################
## <summary>
## All of the rules required to administrate
## an roundup environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the roundup domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`roundup_admin',`
gen_require(`
type roundup_t, roundup_var_lib_t, roundup_var_run_t;
type roundup_initrc_exec_t;
')
allow $1 roundup_t:process { ptrace signal_perms };
ps_process_pattern($1, roundup_t)
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 roundup_initrc_exec_t system_r;
allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, roundup_var_lib_t)
files_list_pids($1)
admin_pattern($1, roundup_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(roundup, 1.5.1)
policy_module(roundup, 1.5.2)
########################################
#
@ -10,6 +10,9 @@ type roundup_t;
type roundup_exec_t;
init_daemon_domain(roundup_t, roundup_exec_t)
type roundup_initrc_exec_t;
init_script_file(roundup_initrc_exec_t)
type roundup_var_run_t;
files_pid_file(roundup_var_run_t)