trunk: six patches from dan.

This commit is contained in:
Chris PeBenito 2007-09-06 18:34:40 +00:00
parent 8241b538af
commit 72f82c47c2
13 changed files with 245 additions and 15 deletions

View File

@ -5,5 +5,11 @@ ifdef(`distro_debian',`
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
/var/www/apcupsd/multimon.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsfstats.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsimage.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsstats.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)

View File

@ -79,3 +79,21 @@ interface(`apcupsd_append_log',`
allow $1 apcupsd_log_t:dir list_dir_perms;
allow $1 apcupsd_log_t:file { getattr append };
')
########################################
## <summary>
## Execute a domain transition to run httpd_apcupsd_cgi_script.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`httpd_apcupsd_cgi_script_domtrans',`
gen_require(`
type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
')
domtrans_pattern($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t)
')

View File

@ -1,5 +1,5 @@
policy_module(apcupsd,1.1.1)
policy_module(apcupsd,1.1.2)
########################################
#
@ -16,6 +16,9 @@ files_lock_file(apcupsd_lock_t)
type apcupsd_log_t;
logging_log_file(apcupsd_log_t)
type apcupsd_tmp_t;
files_tmp_file(apcupsd_tmp_t)
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
@ -24,6 +27,7 @@ files_pid_file(apcupsd_var_run_t)
# apcupsd local policy
#
allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
allow apcupsd_t self:process signal;
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
@ -36,9 +40,17 @@ allow apcupsd_t apcupsd_log_t:dir setattr;
manage_files_pattern(apcupsd_t,apcupsd_log_t,apcupsd_log_t)
logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file)
manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
kernel_read_system_state(apcupsd_t)
corecmd_exec_bin(apcupsd_t)
corecmd_exec_shell(apcupsd_t)
corenet_all_recvfrom_unlabeled(apcupsd_t)
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
@ -47,6 +59,7 @@ corenet_tcp_sendrecv_all_ports(apcupsd_t)
corenet_tcp_bind_all_nodes(apcupsd_t)
corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
@ -55,6 +68,16 @@ domain_use_interactive_fds(apcupsd_t)
files_read_etc_files(apcupsd_t)
files_search_locks(apcupsd_t)
# Creates /etc/nologin
files_manage_etc_runtime_files(apcupsd_t)
files_etc_filetrans_etc_runtime(apcupsd_t,file)
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
term_use_unallocated_ttys(apcupsd_t)
#apcupsd runs shutdown, probably need a shutdown domain
init_rw_utmp(apcupsd_t)
init_telinit(apcupsd_t)
libs_use_ld_so(apcupsd_t)
libs_use_shared_libs(apcupsd_t)
@ -64,6 +87,37 @@ logging_send_syslog_msg(apcupsd_t)
miscfiles_read_localization(apcupsd_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(apcupsd_t)
term_dontaudit_use_generic_ptys(apcupsd_t)
')
optional_policy(`
hostname_exec(apcupsd_t)
')
optional_policy(`
mta_send_mail(apcupsd_t)
')
########################################
#
# apcupsd_cgi Declarations
#
optional_policy(`
apache_content_template(apcupsd_cgi)
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
corenet_udp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
')

View File

@ -1,5 +1,6 @@
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/(s)?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(networkmanager,1.7.0)
policy_module(networkmanager,1.7.1)
########################################
#
@ -31,6 +31,8 @@ allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
can_exec(NetworkManager_t, NetworkManager_exec_t)
manage_dirs_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
@ -161,6 +163,11 @@ optional_policy(`
nscd_signal(NetworkManager_t)
')
optional_policy(`
openvpn_domtrans(NetworkManager_t)
openvpn_signal(NetworkManager_t)
')
optional_policy(`
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)

View File

@ -1,5 +1,73 @@
## <summary>full-featured SSL VPN solution</summary>
########################################
## <summary>
## Execute OPENVPN clients in the openvpn domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`openvpn_domtrans',`
gen_require(`
type openvpn_t, openvpn_exec_t;
')
domtrans_pattern($1, openvpn_exec_t, openvpn_t)
')
########################################
## <summary>
## Execute OPENVPN clients in the openvpn domain, and
## allow the specified role the openvpn domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the openvpn domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the openvpn domain to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`openvpn_run',`
gen_require(`
type openvpn_t;
')
openvpn_domtrans($1)
role $2 types openvpn_t;
allow openvpn_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Send generic signals to OPENVPN clients.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`openvpn_signal',`
gen_require(`
type openvpn_t;
')
allow $1 openvpn_t:process signal;
')
########################################
## <summary>
## Allow the specified domain to read

View File

@ -1,11 +1,18 @@
policy_module(openvpn,1.3.0)
policy_module(openvpn,1.3.1)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow openvpn to read home directories
## </p>
## </desc>
gen_tunable(openvpn_enable_homedirs,false)
# main openvpn domain
type openvpn_t;
type openvpn_exec_t;
@ -28,7 +35,9 @@ files_pid_file(openvpn_var_run_t)
# openvpn local policy
#
allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config };
allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
@ -42,8 +51,8 @@ read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
allow openvpn_t openvpn_var_run_t:file manage_file_perms;
files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
@ -67,6 +76,7 @@ corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
@ -81,6 +91,7 @@ libs_use_shared_libs(openvpn_t)
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
miscfiles_read_certs(openvpn_t)
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
@ -90,6 +101,18 @@ ifdef(`targeted_policy',`
term_use_generic_ptys(openvpn_t)
')
tunable_policy(`openvpn_enable_homedirs',`
userdom_read_unpriv_users_home_content_files(openvpn_t)
')
optional_policy(`
daemontools_service_domain(openvpn_t,openvpn_exec_t)
')
optional_policy(`
dbus_system_bus_client_template(openvpn,openvpn_t)
dbus_connect_system_bus(openvpn_t)
dbus_send_system_bus(openvpn_t)
networkmanager_dbus_chat(openvpn_t)
')

View File

@ -1,3 +1,5 @@
/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)
/var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0)

View File

@ -18,6 +18,46 @@ interface(`rwho_domtrans',`
domtrans_pattern($1,rwho_exec_t,rwho_t)
')
########################################
## <summary>
## Search rwho log directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rwho_search_log',`
gen_require(`
type rwho_log_t;
')
allow $1 rwho_log_t:dir search_dir_perms;
logging_search_logs($1)
')
########################################
## <summary>
## Read rwho log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rwho_read_log_files',`
gen_require(`
type rwho_log_t;
')
allow $1 rwho_log_t:file read_file_perms;
allow $1 rwho_log_t:dir list_dir_perms;
logging_search_logs($1)
')
########################################
## <summary>
## Search rwho spool directories.

View File

@ -1,5 +1,5 @@
policy_module(rwho,1.1.0)
policy_module(rwho,1.1.1)
########################################
#
@ -10,7 +10,9 @@ type rwho_t;
type rwho_exec_t;
init_daemon_domain(rwho_t, rwho_exec_t)
# var/spool files
type rwho_log_t;
files_type(rwho_log_t)
type rwho_spool_t;
files_type(rwho_spool_t)
@ -25,7 +27,10 @@ allow rwho_t self:fifo_file rw_file_perms;
allow rwho_t self:unix_stream_socket create_stream_socket_perms;
allow rwho_t self:udp_socket create_socket_perms;
# var/spool files for rwho
allow rwho_t rwho_log_t:dir manage_dir_perms;
allow rwho_t rwho_log_t:file manage_file_perms;
logging_log_filetrans(rwho_t, rwho_log_t, { file dir })
allow rwho_t rwho_spool_t:dir manage_dir_perms;
allow rwho_t rwho_spool_t:file manage_file_perms;
files_spool_filetrans(rwho_t,rwho_spool_t, { file dir })

View File

@ -8,7 +8,11 @@
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
ifdef(`strict_policy',`
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(spamassassin,1.7.1)
policy_module(spamassassin,1.7.2)
########################################
#
@ -87,8 +87,9 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
manage_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
files_pid_filetrans(spamd_t,spamd_var_run_t,file)
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)

View File

@ -1,5 +1,5 @@
policy_module(raid,1.3.0)
policy_module(raid,1.3.1)
########################################
#
@ -70,6 +70,7 @@ miscfiles_read_localization(mdadm_t)
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_use_sysadm_ttys(mdadm_t)
userdom_dontaudit_search_all_users_home_content(mdadm_t)
mta_send_mail(mdadm_t)