trunk: six patches from dan.
This commit is contained in:
parent
8241b538af
commit
72f82c47c2
@ -5,5 +5,11 @@ ifdef(`distro_debian',`
|
||||
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
|
||||
|
||||
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
|
||||
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
|
||||
|
||||
/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
|
||||
|
||||
/var/www/apcupsd/multimon.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
|
||||
/var/www/apcupsd/upsfstats.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
|
||||
/var/www/apcupsd/upsimage.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
|
||||
/var/www/apcupsd/upsstats.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
|
||||
|
@ -79,3 +79,21 @@ interface(`apcupsd_append_log',`
|
||||
allow $1 apcupsd_log_t:dir list_dir_perms;
|
||||
allow $1 apcupsd_log_t:file { getattr append };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run httpd_apcupsd_cgi_script.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`httpd_apcupsd_cgi_script_domtrans',`
|
||||
gen_require(`
|
||||
type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apcupsd,1.1.1)
|
||||
policy_module(apcupsd,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -16,6 +16,9 @@ files_lock_file(apcupsd_lock_t)
|
||||
type apcupsd_log_t;
|
||||
logging_log_file(apcupsd_log_t)
|
||||
|
||||
type apcupsd_tmp_t;
|
||||
files_tmp_file(apcupsd_tmp_t)
|
||||
|
||||
type apcupsd_var_run_t;
|
||||
files_pid_file(apcupsd_var_run_t)
|
||||
|
||||
@ -24,6 +27,7 @@ files_pid_file(apcupsd_var_run_t)
|
||||
# apcupsd local policy
|
||||
#
|
||||
|
||||
allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
|
||||
allow apcupsd_t self:process signal;
|
||||
allow apcupsd_t self:fifo_file rw_file_perms;
|
||||
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -36,9 +40,17 @@ allow apcupsd_t apcupsd_log_t:dir setattr;
|
||||
manage_files_pattern(apcupsd_t,apcupsd_log_t,apcupsd_log_t)
|
||||
logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
|
||||
|
||||
manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
|
||||
files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file)
|
||||
|
||||
manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
|
||||
files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
|
||||
|
||||
kernel_read_system_state(apcupsd_t)
|
||||
|
||||
corecmd_exec_bin(apcupsd_t)
|
||||
corecmd_exec_shell(apcupsd_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(apcupsd_t)
|
||||
corenet_all_recvfrom_netlabel(apcupsd_t)
|
||||
corenet_tcp_sendrecv_generic_if(apcupsd_t)
|
||||
@ -47,6 +59,7 @@ corenet_tcp_sendrecv_all_ports(apcupsd_t)
|
||||
corenet_tcp_bind_all_nodes(apcupsd_t)
|
||||
corenet_tcp_bind_apcupsd_port(apcupsd_t)
|
||||
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
|
||||
corenet_tcp_connect_apcupsd_port(apcupsd_t)
|
||||
|
||||
dev_rw_generic_usb_dev(apcupsd_t)
|
||||
|
||||
@ -55,6 +68,16 @@ domain_use_interactive_fds(apcupsd_t)
|
||||
|
||||
files_read_etc_files(apcupsd_t)
|
||||
files_search_locks(apcupsd_t)
|
||||
# Creates /etc/nologin
|
||||
files_manage_etc_runtime_files(apcupsd_t)
|
||||
files_etc_filetrans_etc_runtime(apcupsd_t,file)
|
||||
|
||||
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
|
||||
term_use_unallocated_ttys(apcupsd_t)
|
||||
|
||||
#apcupsd runs shutdown, probably need a shutdown domain
|
||||
init_rw_utmp(apcupsd_t)
|
||||
init_telinit(apcupsd_t)
|
||||
|
||||
libs_use_ld_so(apcupsd_t)
|
||||
libs_use_shared_libs(apcupsd_t)
|
||||
@ -64,6 +87,37 @@ logging_send_syslog_msg(apcupsd_t)
|
||||
miscfiles_read_localization(apcupsd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(apcupsd_t)
|
||||
term_dontaudit_use_generic_ptys(apcupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(apcupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mta_send_mail(apcupsd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# apcupsd_cgi Declarations
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
apache_content_template(apcupsd_cgi)
|
||||
|
||||
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
|
||||
|
||||
corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
|
||||
corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
|
||||
corenet_tcp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
|
||||
corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
|
||||
corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
|
||||
corenet_udp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
|
||||
corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
|
||||
|
||||
sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
|
||||
')
|
||||
|
@ -1,5 +1,6 @@
|
||||
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
|
||||
/usr/(s)?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(networkmanager,1.7.0)
|
||||
policy_module(networkmanager,1.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -31,6 +31,8 @@ allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
|
||||
allow NetworkManager_t self:udp_socket create_socket_perms;
|
||||
allow NetworkManager_t self:packet_socket create_socket_perms;
|
||||
|
||||
can_exec(NetworkManager_t, NetworkManager_exec_t)
|
||||
|
||||
manage_dirs_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
|
||||
manage_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
|
||||
manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
|
||||
@ -161,6 +163,11 @@ optional_policy(`
|
||||
nscd_signal(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
openvpn_domtrans(NetworkManager_t)
|
||||
openvpn_signal(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ppp_domtrans(NetworkManager_t)
|
||||
ppp_read_pid_files(NetworkManager_t)
|
||||
|
@ -1,5 +1,73 @@
|
||||
## <summary>full-featured SSL VPN solution</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute OPENVPN clients in the openvpn domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`openvpn_domtrans',`
|
||||
gen_require(`
|
||||
type openvpn_t, openvpn_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, openvpn_exec_t, openvpn_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute OPENVPN clients in the openvpn domain, and
|
||||
## allow the specified role the openvpn domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the openvpn domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the openvpn domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`openvpn_run',`
|
||||
gen_require(`
|
||||
type openvpn_t;
|
||||
')
|
||||
|
||||
openvpn_domtrans($1)
|
||||
role $2 types openvpn_t;
|
||||
allow openvpn_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send generic signals to OPENVPN clients.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`openvpn_signal',`
|
||||
gen_require(`
|
||||
type openvpn_t;
|
||||
')
|
||||
|
||||
allow $1 openvpn_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read
|
||||
|
@ -1,11 +1,18 @@
|
||||
|
||||
policy_module(openvpn,1.3.0)
|
||||
policy_module(openvpn,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow openvpn to read home directories
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(openvpn_enable_homedirs,false)
|
||||
|
||||
# main openvpn domain
|
||||
type openvpn_t;
|
||||
type openvpn_exec_t;
|
||||
@ -28,7 +35,9 @@ files_pid_file(openvpn_var_run_t)
|
||||
# openvpn local policy
|
||||
#
|
||||
|
||||
allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config };
|
||||
allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
|
||||
allow openvpn_t self:process { signal getsched };
|
||||
|
||||
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow openvpn_t self:udp_socket create_socket_perms;
|
||||
@ -42,8 +51,8 @@ read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
|
||||
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
|
||||
|
||||
allow openvpn_t openvpn_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
|
||||
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
|
||||
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctls(openvpn_t)
|
||||
kernel_read_net_sysctls(openvpn_t)
|
||||
@ -67,6 +76,7 @@ corenet_tcp_bind_openvpn_port(openvpn_t)
|
||||
corenet_udp_bind_openvpn_port(openvpn_t)
|
||||
corenet_sendrecv_openvpn_server_packets(openvpn_t)
|
||||
corenet_rw_tun_tap_dev(openvpn_t)
|
||||
corenet_tcp_connect_openvpn_port(openvpn_t)
|
||||
|
||||
dev_search_sysfs(openvpn_t)
|
||||
dev_read_rand(openvpn_t)
|
||||
@ -81,6 +91,7 @@ libs_use_shared_libs(openvpn_t)
|
||||
logging_send_syslog_msg(openvpn_t)
|
||||
|
||||
miscfiles_read_localization(openvpn_t)
|
||||
miscfiles_read_certs(openvpn_t)
|
||||
|
||||
sysnet_dns_name_resolve(openvpn_t)
|
||||
sysnet_exec_ifconfig(openvpn_t)
|
||||
@ -90,6 +101,18 @@ ifdef(`targeted_policy',`
|
||||
term_use_generic_ptys(openvpn_t)
|
||||
')
|
||||
|
||||
tunable_policy(`openvpn_enable_homedirs',`
|
||||
userdom_read_unpriv_users_home_content_files(openvpn_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
daemontools_service_domain(openvpn_t,openvpn_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client_template(openvpn,openvpn_t)
|
||||
dbus_connect_system_bus(openvpn_t)
|
||||
dbus_send_system_bus(openvpn_t)
|
||||
|
||||
networkmanager_dbus_chat(openvpn_t)
|
||||
')
|
||||
|
@ -1,3 +1,5 @@
|
||||
/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
|
||||
|
||||
/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)
|
||||
|
||||
/var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0)
|
||||
|
@ -18,6 +18,46 @@ interface(`rwho_domtrans',`
|
||||
domtrans_pattern($1,rwho_exec_t,rwho_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search rwho log directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rwho_search_log',`
|
||||
gen_require(`
|
||||
type rwho_log_t;
|
||||
')
|
||||
|
||||
allow $1 rwho_log_t:dir search_dir_perms;
|
||||
logging_search_logs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read rwho log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rwho_read_log_files',`
|
||||
gen_require(`
|
||||
type rwho_log_t;
|
||||
')
|
||||
|
||||
allow $1 rwho_log_t:file read_file_perms;
|
||||
allow $1 rwho_log_t:dir list_dir_perms;
|
||||
logging_search_logs($1)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search rwho spool directories.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rwho,1.1.0)
|
||||
policy_module(rwho,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,7 +10,9 @@ type rwho_t;
|
||||
type rwho_exec_t;
|
||||
init_daemon_domain(rwho_t, rwho_exec_t)
|
||||
|
||||
# var/spool files
|
||||
type rwho_log_t;
|
||||
files_type(rwho_log_t)
|
||||
|
||||
type rwho_spool_t;
|
||||
files_type(rwho_spool_t)
|
||||
|
||||
@ -25,7 +27,10 @@ allow rwho_t self:fifo_file rw_file_perms;
|
||||
allow rwho_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow rwho_t self:udp_socket create_socket_perms;
|
||||
|
||||
# var/spool files for rwho
|
||||
allow rwho_t rwho_log_t:dir manage_dir_perms;
|
||||
allow rwho_t rwho_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(rwho_t, rwho_log_t, { file dir })
|
||||
|
||||
allow rwho_t rwho_spool_t:dir manage_dir_perms;
|
||||
allow rwho_t rwho_spool_t:file manage_file_perms;
|
||||
files_spool_filetrans(rwho_t,rwho_spool_t, { file dir })
|
||||
|
@ -8,7 +8,11 @@
|
||||
|
||||
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
|
||||
|
||||
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
||||
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
||||
|
||||
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
|
||||
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(spamassassin,1.7.1)
|
||||
policy_module(spamassassin,1.7.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -87,8 +87,9 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
|
||||
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
|
||||
read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
|
||||
|
||||
manage_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
|
||||
files_pid_filetrans(spamd_t,spamd_var_run_t,file)
|
||||
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
|
||||
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
|
||||
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
|
||||
|
||||
kernel_read_all_sysctls(spamd_t)
|
||||
kernel_read_system_state(spamd_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(raid,1.3.0)
|
||||
policy_module(raid,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -70,6 +70,7 @@ miscfiles_read_localization(mdadm_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
|
||||
userdom_dontaudit_use_sysadm_ttys(mdadm_t)
|
||||
userdom_dontaudit_search_all_users_home_content(mdadm_t)
|
||||
|
||||
mta_send_mail(mdadm_t)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user