add cvs
This commit is contained in:
parent
9210553ecb
commit
93070cbaed
@ -5,6 +5,7 @@
|
||||
- Fix base module compile issues.
|
||||
- Added policies:
|
||||
cpucontrol
|
||||
cvs
|
||||
ktalk
|
||||
portmap
|
||||
postgresql
|
||||
|
2
refpolicy/policy/modules/services/cvs.fc
Normal file
2
refpolicy/policy/modules/services/cvs.fc
Normal file
@ -0,0 +1,2 @@
|
||||
|
||||
/usr/bin/cvs -- context_template(system_u:object_r:cvs_exec_t,s0)
|
17
refpolicy/policy/modules/services/cvs.if
Normal file
17
refpolicy/policy/modules/services/cvs.if
Normal file
@ -0,0 +1,17 @@
|
||||
## <summary>Concurrent versions system</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the CVS data and metadata.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cvs_read_data',`
|
||||
gen_require(`
|
||||
type cvs_data_t;
|
||||
')
|
||||
|
||||
allow $1 cvs_data_t:file { getattr read };
|
||||
')
|
100
refpolicy/policy/modules/services/cvs.te
Normal file
100
refpolicy/policy/modules/services/cvs.te
Normal file
@ -0,0 +1,100 @@
|
||||
|
||||
policy_module(cvs,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type cvs_t;
|
||||
type cvs_exec_t;
|
||||
inetd_tcp_service_domain(cvs_t,cvs_exec_t)
|
||||
role system_r types cvs_t;
|
||||
|
||||
type cvs_data_t; #, customizable;
|
||||
files_type(cvs_data_t)
|
||||
|
||||
type cvs_tmp_t;
|
||||
files_tmp_file(cvs_tmp_t)
|
||||
|
||||
type cvs_var_run_t;
|
||||
files_pid_file(cvs_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow cvs_t self:process signal_perms;
|
||||
allow cvs_t self:fifo_file rw_file_perms;
|
||||
allow cvs_t self:tcp_socket connected_stream_socket_perms;
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
allow cvs_t self:capability { setuid setgid };
|
||||
|
||||
allow cvs_t cvs_data_t:dir create_dir_perms;
|
||||
allow cvs_t cvs_data_t:file create_file_perms;
|
||||
allow cvs_t cvs_data_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow cvs_t cvs_tmp_t:dir create_dir_perms;
|
||||
allow cvs_t cvs_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(cvs_t, cvs_tmp_t, { file dir })
|
||||
|
||||
allow cvs_t cvs_var_run_t:file create_file_perms;
|
||||
files_create_pid(cvs_t,cvs_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(cvs_t)
|
||||
kernel_read_system_state(cvs_t)
|
||||
kernel_read_network_state(cvs_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(cvs_t)
|
||||
corenet_udp_sendrecv_all_if(cvs_t)
|
||||
corenet_raw_sendrecv_all_if(cvs_t)
|
||||
corenet_tcp_sendrecv_all_nodes(cvs_t)
|
||||
corenet_udp_sendrecv_all_nodes(cvs_t)
|
||||
corenet_raw_sendrecv_all_nodes(cvs_t)
|
||||
corenet_tcp_sendrecv_all_ports(cvs_t)
|
||||
corenet_udp_sendrecv_all_ports(cvs_t)
|
||||
corenet_tcp_bind_all_nodes(cvs_t)
|
||||
corenet_udp_bind_all_nodes(cvs_t)
|
||||
|
||||
dev_read_urand(cvs_t)
|
||||
|
||||
fs_getattr_xattr_fs(cvs_t)
|
||||
|
||||
auth_domtrans_chk_passwd(cvs_t)
|
||||
|
||||
corecmd_exec_bin(cvs_t)
|
||||
corecmd_exec_sbin(cvs_t)
|
||||
corecmd_exec_shell(cvs_t)
|
||||
|
||||
files_read_etc_files(cvs_t)
|
||||
files_read_etc_runtime_files(cvs_t)
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
files_search_home(cvs_t)
|
||||
|
||||
libs_use_ld_so(cvs_t)
|
||||
libs_use_shared_libs(cvs_t)
|
||||
|
||||
logging_send_syslog_msg(cvs_t)
|
||||
|
||||
miscfiles_read_localization(cvs_t)
|
||||
|
||||
sysnet_read_config(cvs_t)
|
||||
|
||||
mta_send_mail(cvs_t)
|
||||
|
||||
optional_policy(`kerberos.te',`
|
||||
kerberos_use(cvs_t)
|
||||
kerberos_read_keytab(cvs_t)
|
||||
kerberos_read_config(cvs_t)
|
||||
kerberos_dontaudit_write_config(cvs_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(cvs_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(cvs_t)
|
||||
')
|
@ -74,6 +74,23 @@ interface(`kerberos_read_config',`
|
||||
allow $1 krb5_conf_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to write the kerberos
|
||||
## configuration file (/etc/krb5.conf).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`kerberos_dontaudit_write_config',`
|
||||
gen_require(`
|
||||
type krb5_conf_t;
|
||||
')
|
||||
|
||||
dontaudit $1 krb5_conf_t:file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write the kerberos configuration file (/etc/krb5.conf).
|
||||
|
@ -121,6 +121,10 @@ optional_policy(`cron.te',`
|
||||
cron_read_system_job_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`cvs.te',`
|
||||
cvs_read_data(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`logrotate.te',`
|
||||
logrotate_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user