podsleuth patch from dan.

This commit is contained in:
Chris PeBenito 2009-07-21 10:11:16 -04:00
parent 13306f56b6
commit 5bb5ec1d40
3 changed files with 83 additions and 7 deletions

View File

@ -1,2 +1,3 @@
/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) /usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0)

View File

@ -16,4 +16,30 @@ interface(`podsleuth_domtrans',`
') ')
domtrans_pattern($1, podsleuth_exec_t, podsleuth_t) domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
allow $1 podsleuth_t:process signal;
')
########################################
## <summary>
## Execute podsleuth in the podsleuth domain, and
## allow the specified role the podsleuth domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the podsleuth domain.
## </summary>
## </param>
#
interface(`podsleuth_run',`
gen_require(`
type podsleuth_t;
')
podsleuth_domtrans($1)
role $2 types podsleuth_t;
') ')

View File

@ -1,5 +1,5 @@
policy_module(podsleuth, 1.1.0) policy_module(podsleuth, 1.1.1)
######################################## ########################################
# #
@ -11,25 +11,74 @@ type podsleuth_exec_t;
application_domain(podsleuth_t, podsleuth_exec_t) application_domain(podsleuth_t, podsleuth_exec_t)
role system_r types podsleuth_t; role system_r types podsleuth_t;
type podsleuth_cache_t;
files_type(podsleuth_cache_t)
ubac_constrained(podsleuth_cache_t)
type podsleuth_tmp_t;
files_tmp_file(podsleuth_tmp_t)
ubac_constrained(podsleuth_tmp_t)
type podsleuth_tmpfs_t;
files_tmpfs_file(podsleuth_tmpfs_t)
ubac_constrained(podsleuth_tmpfs_t)
######################################## ########################################
# #
# podsleuth local policy # podsleuth local policy
# #
allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
allow podsleuth_t self:process { signal getsched execheap execmem }; allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
allow podsleuth_t self:fifo_file rw_file_perms; allow podsleuth_t self:fifo_file rw_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
allow podsleuth_t self:tcp_socket create_stream_socket_perms;
allow podsleuth_t self:udp_socket create_socket_perms;
manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
allow podsleuth_t podsleuth_tmp_t:dir mounton;
manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
kernel_read_system_state(podsleuth_t) kernel_read_system_state(podsleuth_t)
corecmd_exec_bin(podsleuth_t)
corenet_tcp_connect_http_port(podsleuth_t)
dev_read_urand(podsleuth_t) dev_read_urand(podsleuth_t)
files_read_etc_files(podsleuth_t) files_read_etc_files(podsleuth_t)
fs_mount_dos_fs(podsleuth_t)
fs_unmount_dos_fs(podsleuth_t)
fs_getattr_dos_fs(podsleuth_t)
fs_read_dos_files(podsleuth_t)
fs_search_dos(podsleuth_t)
fs_getattr_tmpfs(podsleuth_t)
fs_list_tmpfs(podsleuth_t)
miscfiles_read_localization(podsleuth_t) miscfiles_read_localization(podsleuth_t)
sysnet_dns_name_resolve(podsleuth_t)
optional_policy(`
dbus_system_bus_client(podsleuth_t) dbus_system_bus_client(podsleuth_t)
mono_exec(podsleuth_t) optional_policy(`
hal_dbus_chat(podsleuth_t) hal_dbus_chat(podsleuth_t)
')
')
optional_policy(`
mono_exec(podsleuth_t)
')