trunk: 10 patches from dan.
This commit is contained in:
parent
27337d8c21
commit
5843d066b6
@ -64,8 +64,8 @@ interface(`aide_admin',`
|
||||
ps_process_pattern($1, aide_t)
|
||||
|
||||
files_list_etc($1)
|
||||
manage_files_pattern($1, aide_db_t, aide_db_t)
|
||||
admin_pattern($1, aide_db_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, aide_log_t, aide_log_t)
|
||||
admin_pattern($1, aide_log_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(aide, 1.4.1)
|
||||
policy_module(aide, 1.4.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,3 +1,4 @@
|
||||
/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
|
@ -90,3 +90,45 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
|
||||
|
||||
dontaudit $1 arpwatch_t:packet_socket { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an arpwatch environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the arpwatch domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`arpwatch_admin',`
|
||||
gen_require(`
|
||||
type arpwatch_t, arpwatch_tmp_t;
|
||||
type arpwatch_data_t, arpwatch_var_run_t;
|
||||
type arpwatch_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 arpwatch_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, arpwatch_t)
|
||||
|
||||
init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 arpwatch_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, arpwatch_tmp_t)
|
||||
|
||||
files_list_var($1)
|
||||
admin_pattern($1, arpwatch_data_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, arpwatch_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(arpwatch, 1.6.1)
|
||||
policy_module(arpwatch, 1.6.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -13,6 +13,9 @@ init_daemon_domain(arpwatch_t, arpwatch_exec_t)
|
||||
type arpwatch_data_t;
|
||||
files_type(arpwatch_data_t)
|
||||
|
||||
type arpwatch_initrc_exec_t;
|
||||
init_script_file(arpwatch_initrc_exec_t)
|
||||
|
||||
type arpwatch_tmp_t;
|
||||
files_tmp_file(arpwatch_tmp_t)
|
||||
|
||||
|
@ -1,4 +1,5 @@
|
||||
/etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0)
|
||||
/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0)
|
||||
|
||||
|
@ -1 +1,53 @@
|
||||
## <summary>Asterisk IP telephony server</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an asterisk environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the asterisk domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`asterisk_admin',`
|
||||
gen_require(`
|
||||
type asterisk_t, asterisk_var_run_t, asterisk_spool_t;
|
||||
type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
|
||||
type asterisk_var_lib_t;
|
||||
type asterisk_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 asterisk_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, asterisk_t)
|
||||
|
||||
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 asterisk_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, asterisk_tmp_t)
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, asterisk_etc_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, asterisk_log_t)
|
||||
|
||||
files_list_spool($1)
|
||||
admin_pattern($1, asterisk_spool_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, asterisk_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, asterisk_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(asterisk, 1.5.1)
|
||||
policy_module(asterisk, 1.5.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -13,6 +13,9 @@ init_daemon_domain(asterisk_t, asterisk_exec_t)
|
||||
type asterisk_etc_t;
|
||||
files_config_file(asterisk_etc_t)
|
||||
|
||||
type asterisk_initrc_exec_t;
|
||||
init_script_file(asterisk_initrc_exec_t)
|
||||
|
||||
type asterisk_log_t;
|
||||
logging_log_file(asterisk_log_t)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
||||
|
||||
|
@ -261,19 +261,18 @@ interface(`bind_udp_chat_named',`
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal.
|
||||
## The role to be allowed to manage the bind domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`bind_admin',`
|
||||
gen_require(`
|
||||
type named_t, ndc_t;
|
||||
type named_t, named_tmp_t, named_log_t;
|
||||
type named_conf_t, named_var_run_t;
|
||||
type named_cache_t, named_zone_t;
|
||||
type dnssec_t, ndc_t;
|
||||
type named_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 named_t:process { ptrace signal_perms };
|
||||
@ -282,5 +281,25 @@ interface(`bind_admin',`
|
||||
allow $1 ndc_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, ndc_t)
|
||||
|
||||
bind_run_ndc($1, $2, $3)
|
||||
bind_run_ndc($1, $2)
|
||||
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 named_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, named_tmp_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, named_log_t)
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, named_conf_t)
|
||||
|
||||
admin_pattern($1, named_cache_t)
|
||||
admin_pattern($1, named_zone_t)
|
||||
admin_pattern($1, dnssec_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, named_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bind, 1.8.1)
|
||||
policy_module(bind, 1.8.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -242,6 +242,8 @@ sysnet_dns_name_resolve(ndc_t)
|
||||
|
||||
userdom_use_user_terminals(ndc_t)
|
||||
|
||||
term_dontaudit_use_console(ndc_t)
|
||||
|
||||
# for /etc/rndc.key
|
||||
ifdef(`distro_redhat',`
|
||||
allow ndc_t named_conf_t:dir search;
|
||||
|
@ -1,6 +1,8 @@
|
||||
|
||||
/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
|
||||
/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
|
||||
/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
|
||||
|
||||
/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
|
||||
/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
|
||||
/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(inetd, 1.8.1)
|
||||
policy_module(inetd, 1.8.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -136,6 +136,7 @@ corecmd_read_bin_symlinks(inetd_t)
|
||||
domain_use_interactive_fds(inetd_t)
|
||||
|
||||
files_read_etc_files(inetd_t)
|
||||
files_read_etc_runtime_files(inetd_t)
|
||||
|
||||
logging_send_syslog_msg(inetd_t)
|
||||
|
||||
@ -219,6 +220,7 @@ dev_read_urand(inetd_child_t)
|
||||
fs_getattr_xattr_fs(inetd_child_t)
|
||||
|
||||
files_read_etc_files(inetd_child_t)
|
||||
files_read_etc_runtime_files(inetd_child_t)
|
||||
|
||||
auth_use_nsswitch(inetd_child_t)
|
||||
|
||||
|
@ -22,11 +22,14 @@
|
||||
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||
|
||||
/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||
|
||||
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
|
||||
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
|
||||
/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
|
||||
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
|
||||
/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(lpd, 1.10.1)
|
||||
policy_module(lpd, 1.10.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,7 @@
|
||||
|
||||
/etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0)
|
||||
/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0)
|
||||
|
||||
|
||||
/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
|
||||
|
||||
@ -7,3 +9,5 @@
|
||||
|
||||
/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
|
||||
/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
|
||||
|
||||
/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
|
||||
|
@ -12,10 +12,70 @@
|
||||
#
|
||||
interface(`postgrey_stream_connect',`
|
||||
gen_require(`
|
||||
type postgrey_var_run_t, postgrey_t;
|
||||
type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
|
||||
')
|
||||
|
||||
allow $1 postgrey_t:unix_stream_socket connectto;
|
||||
allow $1 postgrey_var_run_t:sock_file write;
|
||||
stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
|
||||
stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
|
||||
files_search_pids($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the spool directory
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postgrey_search_spool',`
|
||||
gen_require(`
|
||||
type postgrey_spool_t;
|
||||
')
|
||||
|
||||
allow $1 postgrey_spool_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an postgrey environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the postgrey domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`postgrey_admin',`
|
||||
gen_require(`
|
||||
type postgrey_t, postgrey_etc_t;
|
||||
type postgrey_var_lib_t, postgrey_var_run_t;
|
||||
type postgrey_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 postgrey_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, postgrey_t)
|
||||
|
||||
init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 postgrey_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, postgrey_etc_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, postgrey_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, postgrey_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postgrey, 1.5.1)
|
||||
policy_module(postgrey, 1.5.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -13,6 +13,12 @@ init_daemon_domain(postgrey_t, postgrey_exec_t)
|
||||
type postgrey_etc_t;
|
||||
files_config_file(postgrey_etc_t)
|
||||
|
||||
type postgrey_initrc_exec_t;
|
||||
init_script_file(postgrey_initrc_exec_t)
|
||||
|
||||
type postgrey_spool_t;
|
||||
files_type(postgrey_spool_t)
|
||||
|
||||
type postgrey_var_lib_t;
|
||||
files_type(postgrey_var_lib_t)
|
||||
|
||||
@ -24,15 +30,21 @@ files_pid_file(postgrey_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow postgrey_t self:capability { chown setgid setuid };
|
||||
allow postgrey_t self:capability { chown dac_override setgid setuid };
|
||||
dontaudit postgrey_t self:capability sys_tty_config;
|
||||
allow postgrey_t self:process signal_perms;
|
||||
allow postgrey_t self:tcp_socket create_stream_socket_perms;
|
||||
allow postgrey_t self:fifo_file create_fifo_file_perms;
|
||||
|
||||
allow postgrey_t postgrey_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
|
||||
read_lnk_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
|
||||
|
||||
manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
|
||||
manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
|
||||
manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
|
||||
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
|
||||
|
||||
manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
|
||||
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
|
||||
|
||||
@ -81,6 +93,10 @@ optional_policy(`
|
||||
nis_use_ypbind(postgrey_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postfix_read_config(postgrey_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(postgrey_t)
|
||||
')
|
||||
|
@ -1,5 +1,7 @@
|
||||
|
||||
/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
|
||||
/etc/privoxy/default\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
|
||||
/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
|
||||
|
||||
|
@ -10,23 +10,34 @@
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`privoxy_admin',`
|
||||
gen_require(`
|
||||
type privoxy_t, privoxy_log_t;
|
||||
type privoxy_etc_rw_t, privoxy_var_run_t;
|
||||
type privoxy_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 privoxy_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, privoxy_t)
|
||||
|
||||
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 privoxy_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, privoxy_log_t, privoxy_log_t)
|
||||
admin_pattern($1, privoxy_log_t)
|
||||
|
||||
files_list_etc($1)
|
||||
manage_files_pattern($1, privoxy_etc_rw_t, privoxy_etc_rw_t)
|
||||
admin_pattern($1, privoxy_etc_rw_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, privoxy_var_run_t, privoxy_var_run_t)
|
||||
admin_pattern($1, privoxy_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(privoxy, 1.7.1)
|
||||
policy_module(privoxy, 1.7.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,9 @@ type privoxy_t; # web_client_domain
|
||||
type privoxy_exec_t;
|
||||
init_daemon_domain(privoxy_t, privoxy_exec_t)
|
||||
|
||||
type privoxy_initrc_exec_t;
|
||||
init_script_file(privoxy_initrc_exec_t)
|
||||
|
||||
type privoxy_etc_rw_t;
|
||||
files_type(privoxy_etc_rw_t)
|
||||
|
||||
@ -50,6 +53,7 @@ corenet_tcp_bind_http_cache_port(privoxy_t)
|
||||
corenet_tcp_connect_http_port(privoxy_t)
|
||||
corenet_tcp_connect_http_cache_port(privoxy_t)
|
||||
corenet_tcp_connect_ftp_port(privoxy_t)
|
||||
corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
|
||||
corenet_tcp_connect_tor_port(privoxy_t)
|
||||
corenet_sendrecv_http_cache_client_packets(privoxy_t)
|
||||
corenet_sendrecv_http_cache_server_packets(privoxy_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(qmail, 1.4.1)
|
||||
policy_module(qmail, 1.4.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -121,6 +121,10 @@ mta_append_spool(qmail_local_t)
|
||||
|
||||
qmail_domtrans_queue(qmail_local_t)
|
||||
|
||||
optional_policy(`
|
||||
spamassassin_domtrans_client(qmail_local_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# qmail-lspawn local policy
|
||||
@ -251,6 +255,10 @@ optional_policy(`
|
||||
daemontools_ipc_domain(qmail_smtpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_keytab_template(qmail, qmail_smtpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
|
||||
')
|
||||
|
@ -1,3 +1,5 @@
|
||||
/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
|
@ -1 +1,39 @@
|
||||
## <summary>Roundup Issue Tracking System policy</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an roundup environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the roundup domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`roundup_admin',`
|
||||
gen_require(`
|
||||
type roundup_t, roundup_var_lib_t, roundup_var_run_t;
|
||||
type roundup_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 roundup_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, roundup_t)
|
||||
|
||||
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 roundup_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, roundup_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, roundup_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(roundup, 1.5.1)
|
||||
policy_module(roundup, 1.5.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,9 @@ type roundup_t;
|
||||
type roundup_exec_t;
|
||||
init_daemon_domain(roundup_t, roundup_exec_t)
|
||||
|
||||
type roundup_initrc_exec_t;
|
||||
init_script_file(roundup_initrc_exec_t)
|
||||
|
||||
type roundup_var_run_t;
|
||||
files_pid_file(roundup_var_run_t)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user