trunk: add bitlbee from devin carraway and add tcpd_wrapped_domain().
This commit is contained in:
parent
14add30d03
commit
8242f5a68d
@ -1,3 +1,4 @@
|
|||||||
|
- Add tcpd_wrapped_domain() for services that use tcp wrappers.
|
||||||
- Update MLS constraints from LSPP evaluated policy.
|
- Update MLS constraints from LSPP evaluated policy.
|
||||||
- Allow initrc_t file descriptors to be inherited regardless of MLS level.
|
- Allow initrc_t file descriptors to be inherited regardless of MLS level.
|
||||||
Accordingly drop MLS permissions from daemons that inherit from any level.
|
Accordingly drop MLS permissions from daemons that inherit from any level.
|
||||||
@ -16,6 +17,7 @@
|
|||||||
- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
|
- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
|
||||||
- Added modules:
|
- Added modules:
|
||||||
application
|
application
|
||||||
|
bitlbee (Devin Carraway)
|
||||||
brctl (Dan Walsh)
|
brctl (Dan Walsh)
|
||||||
|
|
||||||
* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629
|
* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(corenetwork,1.2.10)
|
policy_module(corenetwork,1.2.11)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -67,6 +67,7 @@ network_port(afs_vl, udp,7003,s0)
|
|||||||
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
|
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
|
||||||
network_port(amavisd_recv, tcp,10024,s0)
|
network_port(amavisd_recv, tcp,10024,s0)
|
||||||
network_port(amavisd_send, tcp,10025,s0)
|
network_port(amavisd_send, tcp,10025,s0)
|
||||||
|
network_port(aol, tcp,5190,s0, udp,5190,s0)
|
||||||
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
|
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
|
||||||
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
|
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
|
||||||
network_port(auth, tcp,113,s0)
|
network_port(auth, tcp,113,s0)
|
||||||
@ -112,6 +113,8 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
|
|||||||
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
|
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
|
||||||
network_port(lmtp, tcp,24,s0, udp,24,s0)
|
network_port(lmtp, tcp,24,s0, udp,24,s0)
|
||||||
network_port(mail, tcp,2000,s0)
|
network_port(mail, tcp,2000,s0)
|
||||||
|
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||||
|
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||||
network_port(monopd, tcp,1234,s0)
|
network_port(monopd, tcp,1234,s0)
|
||||||
network_port(mysqld, tcp,3306,s0)
|
network_port(mysqld, tcp,3306,s0)
|
||||||
network_port(nessus, tcp,1241,s0)
|
network_port(nessus, tcp,1241,s0)
|
||||||
|
3
policy/modules/services/bitlbee.fc
Normal file
3
policy/modules/services/bitlbee.fc
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
|
||||||
|
/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
|
||||||
|
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
|
22
policy/modules/services/bitlbee.if
Normal file
22
policy/modules/services/bitlbee.if
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
## <summary>Bitlbee service</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read bitlbee configuration files
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed accesss.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`bitlbee_read_config',`
|
||||||
|
gen_require(`
|
||||||
|
type bitlbee_conf_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 bitlbee_conf_t:dir { getattr read search };
|
||||||
|
allow $1 bitlbee_conf_t:file { read getattr };
|
||||||
|
')
|
||||||
|
|
70
policy/modules/services/bitlbee.te
Normal file
70
policy/modules/services/bitlbee.te
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
|
||||||
|
policy_module(bitlbee, 1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type bitlbee_t;
|
||||||
|
type bitlbee_exec_t;
|
||||||
|
init_daemon_domain(bitlbee_t, bitlbee_exec_t)
|
||||||
|
inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
|
||||||
|
|
||||||
|
type bitlbee_conf_t;
|
||||||
|
files_config_file(bitlbee_conf_t)
|
||||||
|
|
||||||
|
type bitlbee_var_t;
|
||||||
|
files_type(bitlbee_var_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
allow bitlbee_t self:udp_socket create_socket_perms;
|
||||||
|
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
|
||||||
|
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
bitlbee_read_config(bitlbee_t)
|
||||||
|
|
||||||
|
# user account information is read and edited at runtime; give the usual
|
||||||
|
# r/w access to bitlbee_var_t
|
||||||
|
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
|
||||||
|
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
|
||||||
|
|
||||||
|
corenet_all_recvfrom_unlabeled(bitlbee_t)
|
||||||
|
corenet_udp_sendrecv_generic_if(bitlbee_t)
|
||||||
|
corenet_udp_sendrecv_generic_node(bitlbee_t)
|
||||||
|
corenet_udp_sendrecv_lo_node(bitlbee_t)
|
||||||
|
corenet_tcp_sendrecv_generic_if(bitlbee_t)
|
||||||
|
corenet_tcp_sendrecv_generic_node(bitlbee_t)
|
||||||
|
corenet_tcp_sendrecv_lo_node(bitlbee_t)
|
||||||
|
# Allow bitlbee to connect to jabber servers
|
||||||
|
corenet_tcp_connect_jabber_client_port(bitlbee_t)
|
||||||
|
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
|
||||||
|
# to AIM servers:
|
||||||
|
corenet_tcp_connect_aol_port(bitlbee_t)
|
||||||
|
corenet_tcp_sendrecv_aol_port(bitlbee_t)
|
||||||
|
# and to MMCC (Yahoo IM) servers:
|
||||||
|
corenet_tcp_connect_mmcc_port(bitlbee_t)
|
||||||
|
corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
|
||||||
|
# and to MSNP (MSN Messenger) servers:
|
||||||
|
corenet_tcp_connect_msnp_port(bitlbee_t)
|
||||||
|
corenet_tcp_sendrecv_msnp_port(bitlbee_t)
|
||||||
|
|
||||||
|
files_read_etc_files(bitlbee_t)
|
||||||
|
files_search_pids(bitlbee_t)
|
||||||
|
# grant read-only access to the user help files
|
||||||
|
files_read_usr_files(bitlbee_t)
|
||||||
|
|
||||||
|
libs_legacy_use_shared_libs(bitlbee_t)
|
||||||
|
libs_use_ld_so(bitlbee_t)
|
||||||
|
|
||||||
|
sysnet_dns_name_resolve(bitlbee_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
# normally started from inetd using tcpwrappers, so use those entry points
|
||||||
|
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
|
||||||
|
')
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(finger,1.4.0)
|
policy_module(finger,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -8,8 +8,8 @@ policy_module(finger,1.4.0)
|
|||||||
|
|
||||||
type fingerd_t;
|
type fingerd_t;
|
||||||
type fingerd_exec_t;
|
type fingerd_exec_t;
|
||||||
init_daemon_domain(fingerd_t,fingerd_exec_t)
|
init_daemon_domain(fingerd_t, fingerd_exec_t)
|
||||||
inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
|
inetd_tcp_service_domain(fingerd_t, fingerd_exec_t)
|
||||||
|
|
||||||
type fingerd_etc_t;
|
type fingerd_etc_t;
|
||||||
files_config_file(fingerd_etc_t)
|
files_config_file(fingerd_etc_t)
|
||||||
@ -34,15 +34,15 @@ allow fingerd_t self:udp_socket create_socket_perms;
|
|||||||
allow fingerd_t self:unix_dgram_socket create_socket_perms;
|
allow fingerd_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow fingerd_t self:unix_stream_socket create_socket_perms;
|
allow fingerd_t self:unix_stream_socket create_socket_perms;
|
||||||
|
|
||||||
manage_files_pattern(fingerd_t,fingerd_var_run_t,fingerd_var_run_t)
|
manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t)
|
||||||
files_pid_filetrans(fingerd_t,fingerd_var_run_t,file)
|
files_pid_filetrans(fingerd_t, fingerd_var_run_t, file)
|
||||||
|
|
||||||
allow fingerd_t fingerd_etc_t:dir r_dir_perms;
|
allow fingerd_t fingerd_etc_t:dir list_dir_perms;
|
||||||
read_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t)
|
read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
|
||||||
read_lnk_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t)
|
read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
|
||||||
|
|
||||||
allow fingerd_t fingerd_log_t:file manage_file_perms;
|
allow fingerd_t fingerd_log_t:file manage_file_perms;
|
||||||
logging_log_filetrans(fingerd_t,fingerd_log_t,file)
|
logging_log_filetrans(fingerd_t, fingerd_log_t, file)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(fingerd_t)
|
kernel_read_kernel_sysctls(fingerd_t)
|
||||||
kernel_read_system_state(fingerd_t)
|
kernel_read_system_state(fingerd_t)
|
||||||
@ -105,7 +105,7 @@ ifdef(`targeted_policy',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cron_system_entry(fingerd_t,fingerd_exec_t)
|
cron_system_entry(fingerd_t, fingerd_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -124,6 +124,10 @@ optional_policy(`
|
|||||||
seutil_sigchld_newrole(fingerd_t)
|
seutil_sigchld_newrole(fingerd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tcpd_wrapped_domain(fingerd_t, fingerd_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(fingerd_t)
|
udev_read_db(fingerd_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(nagios,1.3.0)
|
policy_module(nagios,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -8,11 +8,11 @@ policy_module(nagios,1.3.0)
|
|||||||
|
|
||||||
type nagios_t;
|
type nagios_t;
|
||||||
type nagios_exec_t;
|
type nagios_exec_t;
|
||||||
init_daemon_domain(nagios_t,nagios_exec_t)
|
init_daemon_domain(nagios_t, nagios_exec_t)
|
||||||
|
|
||||||
type nagios_cgi_t;
|
type nagios_cgi_t;
|
||||||
type nagios_cgi_exec_t;
|
type nagios_cgi_exec_t;
|
||||||
init_system_domain(nagios_cgi_t,nagios_cgi_exec_t)
|
init_system_domain(nagios_cgi_t, nagios_cgi_exec_t)
|
||||||
|
|
||||||
type nagios_etc_t;
|
type nagios_etc_t;
|
||||||
files_config_file(nagios_etc_t)
|
files_config_file(nagios_etc_t)
|
||||||
@ -28,7 +28,7 @@ files_pid_file(nagios_var_run_t)
|
|||||||
|
|
||||||
type nrpe_t;
|
type nrpe_t;
|
||||||
type nrpe_exec_t;
|
type nrpe_exec_t;
|
||||||
init_daemon_domain(nrpe_t,nrpe_exec_t)
|
init_daemon_domain(nrpe_t, nrpe_exec_t)
|
||||||
|
|
||||||
type nrpe_etc_t;
|
type nrpe_etc_t;
|
||||||
files_config_file(nrpe_etc_t)
|
files_config_file(nrpe_etc_t)
|
||||||
@ -45,20 +45,20 @@ allow nagios_t self:fifo_file rw_file_perms;
|
|||||||
allow nagios_t self:tcp_socket create_stream_socket_perms;
|
allow nagios_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow nagios_t self:udp_socket create_socket_perms;
|
allow nagios_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
read_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t)
|
read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
|
||||||
read_lnk_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t)
|
read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
|
||||||
allow nagios_t nagios_etc_t:dir list_dir_perms;
|
allow nagios_t nagios_etc_t:dir list_dir_perms;
|
||||||
|
|
||||||
manage_files_pattern(nagios_t,nagios_log_t,nagios_log_t)
|
manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
|
||||||
manage_fifo_files_pattern(nagios_t,nagios_log_t,nagios_log_t)
|
manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
|
||||||
logging_log_filetrans(nagios_t,nagios_log_t,{ file dir })
|
logging_log_filetrans(nagios_t, nagios_log_t, { file dir })
|
||||||
|
|
||||||
manage_dirs_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t)
|
manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
|
||||||
manage_files_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t)
|
manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
|
||||||
files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
|
files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
|
||||||
|
|
||||||
manage_files_pattern(nagios_t,nagios_var_run_t,nagios_var_run_t)
|
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
|
||||||
files_pid_filetrans(nagios_t,nagios_var_run_t,file)
|
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
|
||||||
|
|
||||||
kernel_read_system_state(nagios_t)
|
kernel_read_system_state(nagios_t)
|
||||||
kernel_read_kernel_sysctls(nagios_t)
|
kernel_read_kernel_sysctls(nagios_t)
|
||||||
@ -142,16 +142,16 @@ optional_policy(`
|
|||||||
allow nagios_cgi_t self:process signal_perms;
|
allow nagios_cgi_t self:process signal_perms;
|
||||||
allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
|
allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
read_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
|
read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
|
||||||
read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
|
read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
|
||||||
|
|
||||||
allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
|
allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
|
||||||
read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
|
read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
|
||||||
read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
|
read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
|
||||||
|
|
||||||
allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
|
allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
|
||||||
read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
|
read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
|
||||||
read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
|
read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
|
||||||
|
|
||||||
kernel_read_system_state(nagios_cgi_t)
|
kernel_read_system_state(nagios_cgi_t)
|
||||||
|
|
||||||
@ -218,13 +218,17 @@ ifdef(`targeted_policy',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
inetd_tcp_service_domain(nrpe_t,nrpe_exec_t)
|
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_sigchld_newrole(nrpe_t)
|
seutil_sigchld_newrole(nrpe_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tcpd_wrapped_domain(nrpe_t, nrpe_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(nrpe_t)
|
udev_read_db(nrpe_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(rlogin,1.4.0)
|
policy_module(rlogin,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -8,7 +8,7 @@ policy_module(rlogin,1.4.0)
|
|||||||
|
|
||||||
type rlogind_t;
|
type rlogind_t;
|
||||||
type rlogind_exec_t;
|
type rlogind_exec_t;
|
||||||
inetd_service_domain(rlogind_t,rlogind_exec_t)
|
inetd_service_domain(rlogind_t, rlogind_exec_t)
|
||||||
role system_r types rlogind_t;
|
role system_r types rlogind_t;
|
||||||
|
|
||||||
type rlogind_devpts_t; #, userpty_type;
|
type rlogind_devpts_t; #, userpty_type;
|
||||||
@ -39,12 +39,12 @@ term_create_pty(rlogind_t,rlogind_devpts_t)
|
|||||||
# for /usr/lib/telnetlogin
|
# for /usr/lib/telnetlogin
|
||||||
can_exec(rlogind_t, rlogind_exec_t)
|
can_exec(rlogind_t, rlogind_exec_t)
|
||||||
|
|
||||||
manage_dirs_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t)
|
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
|
||||||
manage_files_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t)
|
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
|
||||||
files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
|
files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
|
||||||
|
|
||||||
manage_files_pattern(rlogind_t,rlogind_var_run_t,rlogind_var_run_t)
|
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
|
||||||
files_pid_filetrans(rlogind_t,rlogind_var_run_t,file)
|
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(rlogind_t)
|
kernel_read_kernel_sysctls(rlogind_t)
|
||||||
kernel_read_system_state(rlogind_t)
|
kernel_read_system_state(rlogind_t)
|
||||||
@ -96,6 +96,10 @@ optional_policy(`
|
|||||||
kerberos_read_keytab(rlogind_t)
|
kerberos_read_keytab(rlogind_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# Allow krb5 rlogind to use fork and open /dev/tty for use
|
# Allow krb5 rlogind to use fork and open /dev/tty for use
|
||||||
allow rlogind_t userpty_type:chr_file setattr;
|
allow rlogind_t userpty_type:chr_file setattr;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(rshd,1.3.1)
|
policy_module(rshd,1.3.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -7,7 +7,7 @@ policy_module(rshd,1.3.1)
|
|||||||
#
|
#
|
||||||
type rshd_t;
|
type rshd_t;
|
||||||
type rshd_exec_t;
|
type rshd_exec_t;
|
||||||
inetd_tcp_service_domain(rshd_t,rshd_exec_t)
|
inetd_tcp_service_domain(rshd_t, rshd_exec_t)
|
||||||
domain_subj_id_change_exemption(rshd_t)
|
domain_subj_id_change_exemption(rshd_t)
|
||||||
domain_role_change_exemption(rshd_t)
|
domain_role_change_exemption(rshd_t)
|
||||||
role system_r types rshd_t;
|
role system_r types rshd_t;
|
||||||
@ -88,8 +88,6 @@ optional_policy(`
|
|||||||
nscd_socket_use(rshd_t)
|
nscd_socket_use(rshd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
allow rshd_t rlogind_tmp_t:file rw_file_perms;
|
tcpd_wrapped_domain(rshd_t,rshd_exec_t)
|
||||||
')
|
|
||||||
')
|
')
|
||||||
|
@ -15,5 +15,31 @@ interface(`tcpd_domtrans',`
|
|||||||
type tcpd_t, tcpd_exec_t;
|
type tcpd_t, tcpd_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
domtrans_pattern($1,tcpd_exec_t,tcpd_t)
|
domtrans_pattern($1, tcpd_exec_t, tcpd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create a domain for services that
|
||||||
|
## utilize tcp wrappers.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Type to be used as a domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="entry_point">
|
||||||
|
## <summary>
|
||||||
|
## Type of the program to be used as an entry point to this domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`tcpd_wrapped_domain',`
|
||||||
|
gen_require(`
|
||||||
|
type tcpd_t;
|
||||||
|
role system_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
domtrans_pattern(tcpd_t, $2, $1)
|
||||||
|
role system_r types $1;
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(tcpd,1.2.0)
|
policy_module(tcpd,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -7,7 +7,7 @@ policy_module(tcpd,1.2.0)
|
|||||||
#
|
#
|
||||||
type tcpd_t;
|
type tcpd_t;
|
||||||
type tcpd_exec_t;
|
type tcpd_exec_t;
|
||||||
inetd_tcp_service_domain(tcpd_t,tcpd_exec_t)
|
inetd_tcp_service_domain(tcpd_t, tcpd_exec_t)
|
||||||
role system_r types tcpd_t;
|
role system_r types tcpd_t;
|
||||||
|
|
||||||
type tcpd_tmp_t;
|
type tcpd_tmp_t;
|
||||||
@ -19,8 +19,8 @@ files_tmp_file(tcpd_tmp_t)
|
|||||||
#
|
#
|
||||||
allow tcpd_t self:tcp_socket create_stream_socket_perms;
|
allow tcpd_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
manage_dirs_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
|
manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
|
||||||
manage_files_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
|
manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
|
||||||
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
|
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(tcpd_t)
|
corenet_all_recvfrom_unlabeled(tcpd_t)
|
||||||
@ -49,26 +49,6 @@ sysnet_read_config(tcpd_t)
|
|||||||
|
|
||||||
inetd_domtrans_child(tcpd_t)
|
inetd_domtrans_child(tcpd_t)
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
finger_domtrans(tcpd_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
nis_use_ypbind(tcpd_t)
|
nis_use_ypbind(tcpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
nagios_domtrans_nrpe(tcpd_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
rlogin_domtrans(tcpd_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
rshd_domtrans(tcpd_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
uwimap_domtrans(tcpd_t)
|
|
||||||
')
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(uwimap,1.3.0)
|
policy_module(uwimap,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -8,8 +8,8 @@ policy_module(uwimap,1.3.0)
|
|||||||
|
|
||||||
type imapd_t;
|
type imapd_t;
|
||||||
type imapd_exec_t;
|
type imapd_exec_t;
|
||||||
init_daemon_domain(imapd_t,imapd_exec_t)
|
init_daemon_domain(imapd_t, imapd_exec_t)
|
||||||
inetd_tcp_service_domain(imapd_t,imapd_exec_t)
|
inetd_tcp_service_domain(imapd_t, imapd_exec_t)
|
||||||
|
|
||||||
type imapd_tmp_t;
|
type imapd_tmp_t;
|
||||||
files_tmp_file(imapd_tmp_t)
|
files_tmp_file(imapd_tmp_t)
|
||||||
@ -28,12 +28,12 @@ allow imapd_t self:process signal_perms;
|
|||||||
allow imapd_t self:fifo_file rw_fifo_file_perms;
|
allow imapd_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow imapd_t self:tcp_socket create_stream_socket_perms;
|
allow imapd_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
manage_dirs_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t)
|
manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
|
||||||
manage_files_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t)
|
manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
|
||||||
files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir })
|
files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir })
|
||||||
|
|
||||||
manage_files_pattern(imapd_t,imapd_var_run_t,imapd_var_run_t)
|
manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t)
|
||||||
files_pid_filetrans(imapd_t,imapd_var_run_t,file)
|
files_pid_filetrans(imapd_t, imapd_var_run_t, file)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(imapd_t)
|
kernel_read_kernel_sysctls(imapd_t)
|
||||||
kernel_list_proc(imapd_t)
|
kernel_list_proc(imapd_t)
|
||||||
@ -92,6 +92,10 @@ optional_policy(`
|
|||||||
seutil_sigchld_newrole(imapd_t)
|
seutil_sigchld_newrole(imapd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tcpd_wrapped_domain(imapd_t, imapd_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(imapd_t)
|
udev_read_db(imapd_t)
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user