trunk: 7 patches from dan.

This commit is contained in:
Chris PeBenito 2008-04-04 17:08:34 +00:00
parent c565b44f9c
commit 8152a78836
9 changed files with 69 additions and 46 deletions

View File

@ -180,25 +180,6 @@ template(`userhelper_per_role_template',`
optional_policy(` optional_policy(`
nscd_socket_use($1_userhelper_t) nscd_socket_use($1_userhelper_t)
') ')
ifdef(`TODO',`
allow $1_userhelper_t xdm_t:fd use;
allow $1_userhelper_t xdm_var_run_t:dir search;
allow $1_userhelper_t xdm_t:fifo_file { getattr read write ioctl };
optional_policy(`
allow $1_userhelper_t gphdomain:fd use;
')
optional_policy(`
domtrans_pattern($1_userhelper_t, xauth_exec_t, $1_xauth_t)
allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
')
optional_policy(`
domtrans_pattern($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
')
# for when the network connection is killed
dontaudit unpriv_userdomain $1_userhelper_t:process signal;
')
') ')
######################################## ########################################

View File

@ -851,9 +851,8 @@ interface(`kernel_rw_afs_state',`
type proc_t, proc_afs_t; type proc_t, proc_afs_t;
') ')
read_files_pattern($1,proc_t,proc_afs_t)
list_dirs_pattern($1,proc_t,proc_t) list_dirs_pattern($1,proc_t,proc_t)
rw_files_pattern($1,proc_afs_t,proc_afs_t)
') ')
####################################### #######################################

View File

@ -1,5 +1,5 @@
policy_module(kernel,1.9.0) policy_module(kernel,1.9.1)
######################################## ########################################
# #
@ -363,7 +363,7 @@ optional_policy(`
allow kern_unconfined proc_type:{ dir file lnk_file } *; allow kern_unconfined proc_type:{ dir file lnk_file } *;
allow kern_unconfined sysctl_t:{ dir file } *; allow kern_unconfined sysctl_type:{ dir file } *;
allow kern_unconfined kernel_t:system *; allow kern_unconfined kernel_t:system *;
@ -372,5 +372,3 @@ allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *; allow kern_unconfined unlabeled_t:packet *;
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
kernel_rw_all_sysctls(kern_unconfined)

View File

@ -1 +1,40 @@
## <summary>Remote-mail retrieval and forwarding utility</summary> ## <summary>Remote-mail retrieval and forwarding utility</summary>
########################################
## <summary>
## All of the rules required to administrate
## an fetchmail environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the fetchmail domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`fetchmail_admin',`
gen_require(`
type fetchmail_t, fetchmail_etc_t;
type fetchmail_uidl_cache_t, fetchmail_var_run_t;
')
ps_process_pattern($1, fetchmail_t)
files_list_etc($1)
manage_files_pattern($1, fetchmail_etc_t, fetchmail_etc_t)
manage_files_pattern($1, fetchmail_uidl_cache_t, fetchmail_uidl_cache_t)
files_list_pids($1)
manage_files_pattern($1, fetchmail_var_run_t, fetchmail_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(fetchmail,1.5.0) policy_module(fetchmail,1.5.1)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(openct,1.2.0) policy_module(openct,1.2.1)
######################################## ########################################
# #
@ -22,7 +22,8 @@ dontaudit openct_t self:capability sys_tty_config;
allow openct_t self:process signal_perms; allow openct_t self:process signal_perms;
manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t) manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
files_pid_filetrans(openct_t,openct_var_run_t,file) manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
files_pid_filetrans(openct_t,openct_var_run_t,{ file sock_file })
kernel_read_kernel_sysctls(openct_t) kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t) kernel_list_proc(openct_t)

View File

@ -1,5 +1,5 @@
policy_module(pegasus,1.5.0) policy_module(pegasus,1.5.1)
######################################## ########################################
# #
@ -42,6 +42,7 @@ allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir }) filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir })
@ -113,18 +114,16 @@ libs_use_ld_so(pegasus_t)
libs_use_shared_libs(pegasus_t) libs_use_shared_libs(pegasus_t)
logging_send_audit_msgs(pegasus_t) logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
miscfiles_read_localization(pegasus_t) miscfiles_read_localization(pegasus_t)
sysnet_read_config(pegasus_t) sysnet_read_config(pegasus_t)
sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_sysadm_home_dirs(pegasus_t) userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
optional_policy(`
logging_send_syslog_msg(pegasus_t)
')
optional_policy(` optional_policy(`
rpm_exec(pegasus_t) rpm_exec(pegasus_t)
') ')

View File

@ -1,5 +1,5 @@
policy_module(rlogin,1.6.0) policy_module(rlogin,1.6.1)
######################################## ########################################
# #
@ -61,6 +61,8 @@ corenet_udp_sendrecv_all_ports(rlogind_t)
dev_read_urand(rlogind_t) dev_read_urand(rlogind_t)
domain_interactive_fd(rlogind_t)
fs_getattr_xattr_fs(rlogind_t) fs_getattr_xattr_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t) fs_search_auto_mountpoints(rlogind_t)
@ -82,23 +84,20 @@ logging_send_syslog_msg(rlogind_t)
miscfiles_read_localization(rlogind_t) miscfiles_read_localization(rlogind_t)
seutil_dontaudit_search_config(rlogind_t) seutil_read_config(rlogind_t)
userdom_setattr_unpriv_users_ptys(rlogind_t) userdom_setattr_unpriv_users_ptys(rlogind_t)
# cjp: this is egregious # cjp: this is egregious
userdom_read_all_users_home_content_files(rlogind_t) userdom_read_all_users_home_content_files(rlogind_t)
remotelogin_domtrans(rlogind_t) remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
optional_policy(` optional_policy(`
kerberos_use(rlogind_t)
kerberos_read_keytab(rlogind_t) kerberos_read_keytab(rlogind_t)
') ')
optional_policy(` optional_policy(`
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
') ')
ifdef(`TODO',`
# Allow krb5 rlogind to use fork and open /dev/tty for use
allow rlogind_t userpty_type:chr_file setattr;
')

View File

@ -1,5 +1,5 @@
policy_module(telnet,1.6.0) policy_module(telnet,1.6.1)
######################################## ########################################
# #
@ -59,6 +59,8 @@ corenet_udp_sendrecv_all_ports(telnetd_t)
dev_read_urand(telnetd_t) dev_read_urand(telnetd_t)
domain_interactive_fd(telnetd_t)
fs_getattr_xattr_fs(telnetd_t) fs_getattr_xattr_fs(telnetd_t)
auth_rw_login_records(telnetd_t) auth_rw_login_records(telnetd_t)
@ -66,6 +68,7 @@ auth_use_nsswitch(telnetd_t)
corecmd_search_bin(telnetd_t) corecmd_search_bin(telnetd_t)
files_read_usr_files(telnetd_t)
files_read_etc_files(telnetd_t) files_read_etc_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t) files_read_etc_runtime_files(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules? # for identd; cjp: this should probably only be inetd_child rules?
@ -80,17 +83,21 @@ logging_send_syslog_msg(telnetd_t)
miscfiles_read_localization(telnetd_t) miscfiles_read_localization(telnetd_t)
seutil_dontaudit_search_config(telnetd_t) seutil_read_config(telnetd_t)
remotelogin_domtrans(telnetd_t) remotelogin_domtrans(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules? userdom_search_unpriv_users_home_dirs(telnetd_t)
optional_policy(` optional_policy(`
kerberos_use(telnetd_t) kerberos_use(telnetd_t)
kerberos_read_keytab(telnetd_t) kerberos_read_keytab(telnetd_t)
') ')
ifdef(`TODO',` tunable_policy(`use_nfs_home_dirs',`
# Allow krb5 telnetd to use fork and open /dev/tty for use fs_search_nfs(telnetd_t)
allow telnetd_t userpty_type:chr_file setattr; ')
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs(telnetd_t)
') ')