trunk: 12 patches from dan.

This commit is contained in:
Chris PeBenito 2008-02-07 16:37:47 +00:00
parent 12cf805e1c
commit 7a5e2d8a37
27 changed files with 512 additions and 22 deletions

View File

@ -25,7 +25,7 @@
# #
# /var # /var
# #
/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
# Fix pptp sockets # Fix pptp sockets

View File

@ -269,3 +269,66 @@ interface(`ppp_pid_filetrans',`
files_pid_filetrans($1,pppd_var_run_t,file) files_pid_filetrans($1,pppd_var_run_t,file)
') ')
########################################
## <summary>
## All of the rules required to administrate
## an ppp environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the ppp domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`ppp_admin',`
gen_require(`
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
type pppd_etc_t, pppd_script_t, pppd_secret_t;
type pppd_etc_rw_t, pppd_var_lib_t, pppd_var_run_t;
type pptp_t, pptp_log_t, pptp_var_run_t;
')
allow $1 pppd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, pppd_t)
files_list_tmp($1)
manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t)
logging_list_logs($1)
manage_files_pattern($1, pppd_log_t, pppd_log_t)
manage_files_pattern($1, pppd_lock_t, pppd_lock_t)
files_list_etc($1)
manage_files_pattern($1, pppd_etc_t, pppd_etc_t)
manage_files_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t)
manage_files_pattern($1, pppd_secret_t, pppd_secret_t)
files_list_var_lib($1)
manage_files_pattern($1, pppd_var_lib_t, pppd_var_lib_t)
files_list_pids($1)
manage_files_pattern($1, pppd_var_run_t), pppd_var_run_t
allow $1 pptp_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, pptp_t)
manage_files_pattern($1, pptp_log_t, pptp_log_t)
manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(ppp,1.6.0) policy_module(ppp,1.6.1)
######################################## ########################################
# #
@ -162,6 +162,8 @@ files_read_etc_files(pppd_t)
init_read_utmp(pppd_t) init_read_utmp(pppd_t)
init_dontaudit_write_utmp(pppd_t) init_dontaudit_write_utmp(pppd_t)
auth_use_nsswitch(pppd_t)
libs_use_ld_so(pppd_t) libs_use_ld_so(pppd_t)
libs_use_shared_libs(pppd_t) libs_use_shared_libs(pppd_t)
@ -196,14 +198,6 @@ optional_policy(`
mta_send_mail(pppd_t) mta_send_mail(pppd_t)
') ')
optional_policy(`
nis_use_ypbind(pppd_t)
')
optional_policy(`
nscd_socket_use(pppd_t)
')
optional_policy(` optional_policy(`
postfix_domtrans_master(pppd_t) postfix_domtrans_master(pppd_t)
') ')
@ -221,8 +215,9 @@ optional_policy(`
# PPTP Local policy # PPTP Local policy
# #
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:capability net_raw; allow pptp_t self:capability net_raw;
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file { read write }; allow pptp_t self:fifo_file { read write };
allow pptp_t self:unix_dgram_socket create_socket_perms; allow pptp_t self:unix_dgram_socket create_socket_perms;
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };

View File

@ -1 +1,42 @@
## <summary>Privacy enhancing web proxy.</summary> ## <summary>Privacy enhancing web proxy.</summary>
########################################
## <summary>
## All of the rules required to administrate
## an privoxy environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the privoxy domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`privoxy_admin',`
gen_require(`
type privoxy_t, privoxy_log_t;
type privoxy_etc_rw_t, privoxy_var_run_t;
')
allow $1 privoxy_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, privoxy_t)
logging_list_logs($1)
manage_files_pattern($1, privoxy_log_t, privoxy_log_t)
files_list_etc($1)
manage_files_pattern($1, privoxy_etc_rw_t, privoxy_etc_rw_t)
files_list_pids($1)
manage_files_pattern($1, privoxy_var_run_t, privoxy_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(privoxy,1.5.0) policy_module(privoxy,1.5.1)
######################################## ########################################
# #

View File

@ -13,3 +13,49 @@
interface(`radius_use',` interface(`radius_use',`
refpolicywarn(`$0($*) has been deprecated.') refpolicywarn(`$0($*) has been deprecated.')
') ')
########################################
## <summary>
## All of the rules required to administrate
## an radius environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the radius domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`radius_admin',`
gen_require(`
type radius_t, radius_etc_t, radius_log_t;
type radius_etc_rw_t, radius_var_lib_t, radius_var_run_t;
')
allow $1 radius_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, radius_t)
files_list_etc($1)
manage_files_pattern($1, radius_etc_t, radius_etc_t)
logging_list_logs($1)
manage_files_pattern($1, radius_log_t, radius_log_t)
manage_files_pattern($1, radius_etc_rw_t, radius_etc_rw_t)
files_list_var_lib($1)
manage_files_pattern($1, radius_var_lib_t, radius_var_lib_t)
files_list_pids($1)
manage_files_pattern($1, radius_var_run_t, radius_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(radius,1.6.0) policy_module(radius,1.6.1)
######################################## ########################################
# #

View File

@ -1 +1,39 @@
## <summary>IPv6 router advertisement daemon</summary> ## <summary>IPv6 router advertisement daemon</summary>
########################################
## <summary>
## All of the rules required to administrate
## an radvd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the radvd domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`radvd_admin',`
gen_require(`
type radvd_t, radvd_etc_t;
type radvd_var_run_t;
')
allow $1 radvd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, radvd_t)
files_list_etc($1)
manage_files_pattern($1, radvd_etc_t, radvd_etc_t)
files_list_pids($1)
manage_files_pattern($1, radvd_var_run_t, radvd_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(radvd,1.6.0) policy_module(radvd,1.6.1)
######################################## ########################################
# #

View File

@ -18,3 +18,20 @@ interface(`remotelogin_domtrans',`
auth_domtrans_login_program($1,remote_login_t) auth_domtrans_login_program($1,remote_login_t)
') ')
########################################
## <summary>
## allow Domain to signal remote login domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`remotelogin_signal',`
gen_require(`
type remote_login_t;
')
allow $1 remote_login_t:process signal;
')

View File

@ -1,5 +1,5 @@
policy_module(remotelogin,1.4.0) policy_module(remotelogin,1.4.1)
######################################## ########################################
# #

View File

@ -115,3 +115,40 @@ interface(`rwho_manage_spool_files',`
manage_files_pattern($1,rwho_spool_t,rwho_spool_t) manage_files_pattern($1,rwho_spool_t,rwho_spool_t)
files_search_spool($1) files_search_spool($1)
') ')
########################################
## <summary>
## All of the rules required to administrate
## an rwho environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the rwho domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`rwho_admin',`
gen_require(`
type rwho_t, rwho_log_t, rwho_spool_t;
')
allow $1 rwho_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, rwho_t)
logging_list_logs($1)
manage_files_pattern($1, rwho_log_t, rwho_log_t)
files_list_spool($1)
manage_files_pattern($1, rwho_spool_t, rwho_spool_t)
')

View File

@ -1,5 +1,5 @@
policy_module(rwho,1.3.0) policy_module(rwho,1.3.1)
######################################## ########################################
# #

View File

@ -18,3 +18,42 @@ interface(`sasl_connect',`
files_search_pids($1) files_search_pids($1)
stream_connect_pattern($1,saslauthd_var_run_t,saslauthd_var_run_t,saslauthd_t) stream_connect_pattern($1,saslauthd_var_run_t,saslauthd_var_run_t,saslauthd_t)
') ')
########################################
## <summary>
## All of the rules required to administrate
## an sasl environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the sasl domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`sasl_admin',`
gen_require(`
type sasl_t;
type sasl_tmp_t;
type sasl_var_run_t;
')
allow $1 sasl_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, sasl_t)
files_list_tmp($1)
manage_files_pattern($1, sasl_tmp_t, sasl_tmp_t)
files_list_pids($1)
manage_files_pattern($1, sasl_var_run_t, sasl_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(sasl,1.7.0) policy_module(sasl,1.7.1)
######################################## ########################################
# #

View File

@ -17,3 +17,40 @@ interface(`smartmon_read_tmp_files',`
allow $1 fsdaemon_tmp_t:file { getattr ioctl read }; allow $1 fsdaemon_tmp_t:file { getattr ioctl read };
') ')
########################################
## <summary>
## All of the rules required to administrate
## an smartmon environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the smartmon domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`smartmon_admin',`
gen_require(`
type smartmon_t, smartmon_tmp_t, smartmon_var_run_t;
')
allow $1 smartmon_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, smartmon_t)
files_list_tmp($1)
manage_files_pattern($1, smartmon_tmp_t, smartmon_tmp_t)
files_list_pids($1)
manage_files_pattern($1, smartmon_var_run_t, smartmon_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(smartmon,1.4.0) policy_module(smartmon,1.4.1)
######################################## ########################################
# #
@ -49,6 +49,7 @@ corenet_udp_sendrecv_all_nodes(fsdaemon_t)
corenet_udp_sendrecv_all_ports(fsdaemon_t) corenet_udp_sendrecv_all_ports(fsdaemon_t)
dev_read_sysfs(fsdaemon_t) dev_read_sysfs(fsdaemon_t)
dev_read_urand(fsdaemon_t)
domain_use_interactive_fds(fsdaemon_t) domain_use_interactive_fds(fsdaemon_t)

View File

@ -84,3 +84,44 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
dontaudit $1 snmpd_var_lib_t:file write; dontaudit $1 snmpd_var_lib_t:file write;
') ')
########################################
## <summary>
## All of the rules required to administrate
## an snmp environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the snmp domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`snmp_admin',`
gen_require(`
type snmp_t, snmp_log_t;
type snmp_var_lib_t, snmp_var_run_t;
')
allow $1 snmp_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, snmp_t)
logging_list_logs($1)
manage_files_pattern($1, snmp_log_t, snmp_log_t)
files_list_var_lib($1)
manage_files_pattern($1, snmp_var_lib_t, snmp_var_lib_t)
files_list_pids($1)
manage_files_pattern($1, snmp_var_run_t, snmp_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(snmp,1.6.0) policy_module(snmp,1.6.1)
######################################## ########################################
# #

View File

@ -4,3 +4,5 @@
/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) /tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) /tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)

View File

@ -1 +1,40 @@
## <summary>Trivial file transfer protocol daemon</summary> ## <summary>Trivial file transfer protocol daemon</summary>
########################################
## <summary>
## All of the rules required to administrate
## an tftp environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the tftp domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`tftp_admin',`
gen_require(`
type tftp_t, tftpdir_t;
type tftp_rw_t, tftp_var_run_t;
')
allow $1 tftp_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, tftp_t)
manage_files_pattern($1, tftp_rw_t, tftp_rw_t)
manage_files_pattern($1, tftpdir_t, tftpdir_t)
files_list_pids($1)
manage_files_pattern($1, tftp_var_run_t, tftp_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(tftp,1.6.0) policy_module(tftp,1.6.1)
######################################## ########################################
# #

View File

@ -1,5 +1,6 @@
/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0) /etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0)
/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)

View File

@ -17,3 +17,47 @@ interface(`tor_domtrans',`
domtrans_pattern($1,tor_exec_t,tor_t) domtrans_pattern($1,tor_exec_t,tor_t)
') ')
########################################
## <summary>
## All of the rules required to administrate
## an tor environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the tor domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`tor_admin',`
gen_require(`
type tor_t, tor_log_t, tor_etc_t;
type tor_var_lib_t, tor_var_run_t;
')
allow $1 tor_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, tor_t)
logging_list_logs($1)
manage_files_pattern($1, tor_log_t, tor_log_t)
files_list_etc($1)
manage_files_pattern($1, tor_etc_t, tor_etc_t)
files_list_var_lib($1)
manage_files_pattern($1, tor_var_lib_t, tor_var_lib_t)
files_list_pids($1)
manage_files_pattern($1, tor_var_run_t, tor_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(tor,1.3.0) policy_module(tor,1.3.1)
######################################## ########################################
# #

View File

@ -60,3 +60,52 @@ interface(`uucp_domtrans_uux',`
domtrans_pattern($1,uux_exec_t,uux_t) domtrans_pattern($1,uux_exec_t,uux_t)
') ')
########################################
## <summary>
## All of the rules required to administrate
## an uucp environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the uucp domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`uucp_admin',`
gen_require(`
type uucp_t, uucp_tmp_t, uucp_log_t;
type uucp_spool_t, uucp_ro_t, uucp_rw_t;
type uucp_var_run_t;
')
allow $1 uucp_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, uucp_t)
files_list_tmp($1)
manage_files_pattern($1, uucp_tmp_t, uucp_tmp_t)
logging_list_logs($1)
manage_files_pattern($1, uucp_log_t, uucp_log_t)
files_list_spool($1)
manage_files_pattern($1, uucp_spool_t, uucp_spool_t)
manage_files_pattern($1, uucp_rw_t, uucp_rw_t)
manage_files_pattern($1, uucp_ro_t, uucp_ro_t)
files_list_pids($1)
manage_files_pattern($1, uucp_var_run_t, uucp_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(uucp,1.6.0) policy_module(uucp,1.6.1)
######################################## ########################################
# #