trunk: 8 patches from dan.

This commit is contained in:
Chris PeBenito 2008-10-08 20:03:24 +00:00
parent e87221cefe
commit 967fd1ba3f
22 changed files with 458 additions and 44 deletions

View File

@ -14,6 +14,7 @@
named pipe. Updated init_telinit() to match.
- Added modules:
cyphesis (Dan Walsh)
memcached (Dan Walsh)
oident (Dominick Grift)
w3c (Dan Walsh)

View File

@ -1,8 +1,10 @@
/etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
/etc/amavisd(/.*)? -- gen_context(system_u:object_r:amavis_etc_t,s0)
/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0)
/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
ifdef(`distro_debian',`
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)

View File

@ -197,6 +197,11 @@ interface(`amavis_create_pid_files',`
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`amavis_admin',`
@ -204,28 +209,34 @@ interface(`amavis_admin',`
type amavis_t, amavis_tmp_t, amavis_var_log_t;
type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
type amavis_etc_t, amavis_quarantine_t;
type amavis_initrc_exec_t;
')
allow $1 amavis_t:process { ptrace signal_perms };
ps_process_pattern($1, amavis_t)
files_list_tmp($1)
manage_files_pattern($1, amavis_tmp_t, amavis_tmp_t)
manage_files_pattern($1, amavis_quarantine_t, amavis_quarantine_t)
init_labeled_script_domtrans($1, amavis_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
manage_files_pattern($1, amavis_etc_t, amavis_etc_t)
admin_pattern($1, amavis_etc_t)
logging_list_logs($1)
manage_files_pattern($1, amavis_var_log_t, amavis_var_log_t)
admin_pattern($1, amavis_quarantine_t)
files_list_spool($1)
manage_files_pattern($1, amavis_spool_t, amavis_spool_t)
admin_pattern($1, amavis_spool_t)
files_list_tmp($1)
admin_pattern($1, amavis_tmp_t)
files_list_var_lib($1)
manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
admin_pattern($1, amavis_var_lib_t)
logging_list_logs($1)
admin_pattern($1, amavis_var_log_t)
files_list_pids($1)
manage_files_pattern($1, amavis_var_run_t, amavis_var_run_t)
admin_pattern($1, amavis_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(amavis, 1.7.0)
policy_module(amavis, 1.7.1)
########################################
#
@ -13,7 +13,10 @@ init_daemon_domain(amavis_t, amavis_exec_t)
# configuration files
type amavis_etc_t;
files_type(amavis_etc_t)
files_config_file(amavis_etc_t)
type amavis_initrc_exec_t;
init_script_file(amavis_initrc_exec_t)
# pid files
type amavis_var_run_t;
@ -57,6 +60,8 @@ allow amavis_t amavis_etc_t:dir list_dir_perms;
read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
can_exec(amavis_t, amavis_exec_t)
# mail quarantine
manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)

View File

@ -2,6 +2,7 @@
# /etc
#
/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
#
# /usr
@ -12,4 +13,4 @@
# /var
#
/var/run/autofs(/.*)? gen_context(system_u:object_r:automount_var_run_t,s0)
/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)

View File

@ -56,6 +56,42 @@ interface(`automount_read_state',`
read_files_pattern($1, automount_t, automount_t)
')
########################################
## <summary>
## Do not audit attempts to file descriptors for automount.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`automount_dontaudit_use_fds',`
gen_require(`
type automount_t;
')
dontaudit $1 automount_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to write automount daemon unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`automount_dontaudit_write_pipes',`
gen_require(`
type automount_t;
')
dontaudit $1 automount_t:fifo_file write;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
@ -74,3 +110,44 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
dontaudit $1 automount_tmp_t:dir getattr;
')
########################################
## <summary>
## All of the rules required to administrate
## an automount environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the automount domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`automount_admin',`
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
')
allow $1 automount_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, automount_t)
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
allow $2 system_r;
files_list_var($1)
admin_pattern($1, automount_lock_t)
files_list_tmp($1)
admin_pattern($1, automount_tmp_t)
files_list_pids($1)
admin_pattern($1, automount_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(automount, 1.9.0)
policy_module(automount, 1.9.1)
########################################
#
@ -10,6 +10,9 @@ type automount_t;
type automount_exec_t;
init_daemon_domain(automount_t, automount_exec_t)
type automount_initrc_exec_t;
init_script_file(automount_initrc_exec_t)
type automount_var_run_t;
files_pid_file(automount_var_run_t)
@ -35,8 +38,6 @@ allow automount_t self:tcp_socket create_stream_socket_perms;
allow automount_t self:udp_socket create_socket_perms;
allow automount_t self:rawip_socket create_socket_perms;
allow automount_t self:netlink_route_socket r_netlink_socket_perms;
can_exec(automount_t, automount_exec_t)
allow automount_t automount_lock_t:file manage_file_perms;
@ -52,7 +53,8 @@ files_home_filetrans(automount_t, automount_tmp_t, dir)
files_root_filetrans(automount_t, automount_tmp_t, dir)
manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
files_pid_filetrans(automount_t, automount_var_run_t, file)
manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
kernel_read_kernel_sysctls(automount_t)
kernel_read_irq_sysctls(automount_t)
@ -126,8 +128,12 @@ fs_unmount_autofs(automount_t)
fs_mount_autofs(automount_t)
fs_manage_autofs_symlinks(automount_t)
storage_rw_fuse(automount_t)
term_dontaudit_getattr_pty_dirs(automount_t)
auth_use_nsswitch(automount_t)
libs_use_ld_so(automount_t)
libs_use_shared_libs(automount_t)
@ -140,10 +146,6 @@ miscfiles_read_certs(automount_t)
# Run mount in the mount_t domain.
mount_domtrans(automount_t)
sysnet_dns_name_resolve(automount_t)
sysnet_use_ldap(automount_t)
sysnet_read_config(automount_t)
userdom_dontaudit_use_unpriv_user_fds(automount_t)
sysadm_dontaudit_search_home_dirs(automount_t)
@ -163,11 +165,12 @@ optional_policy(`
')
optional_policy(`
nis_use_ypbind(automount_t)
rpc_search_nfs_state_data(automount_t)
')
optional_policy(`
rpc_search_nfs_state_data(automount_t)
samba_read_config(automount_t)
samba_manage_var_files(automount_t)
')
optional_policy(`

View File

@ -3,6 +3,8 @@
#
/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
#
# /usr

View File

@ -28,11 +28,13 @@ template(`ftp_per_role_template',`
type ftpd_t;
')
userdom_manage_user_home_content_files($1, ftpd_t)
userdom_manage_user_home_content_symlinks($1, ftpd_t)
userdom_manage_user_home_content_sockets($1, ftpd_t)
userdom_manage_user_home_content_pipes($1, ftpd_t)
userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file })
tunable_policy(`ftp_home_dir',`
userdom_manage_user_home_content_files($1, ftpd_t)
userdom_manage_user_home_content_symlinks($1, ftpd_t)
userdom_manage_user_home_content_sockets($1, ftpd_t)
userdom_manage_user_home_content_pipes($1, ftpd_t)
userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file })
')
')
########################################
@ -155,3 +157,62 @@ interface(`ftp_run_ftpdctl',`
role $2 types ftpdctl_t;
allow ftpdctl_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## All of the rules required to administrate
## an ftp environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the ftp domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the ftpdctl domain to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`ftp_admin',`
gen_require(`
type ftpd_t, ftpdctl_t, ftpd_tmp_t;
type ftpd_etc_t, ftpd_lock_t;
type ftpd_var_run_t, xferlog_t;
type ftpd_initrc_exec_t;
')
allow $1 ftpd_t:process { ptrace signal_perms };
ps_process_pattern($1, ftpd_t)
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ftpd_initrc_exec_t system_r;
allow $2 system_r;
ps_process_pattern($1, ftpdctl_t)
ftp_run_ftpdctl($1, $2, $3)
miscfiles_manage_public_files($1)
files_list_tmp($1)
admin_pattern($1, ftpd_tmp_t)
files_list_etc($1)
admin_pattern($1, ftpd_etc_t)
files_list_var($1)
admin_pattern($1, ftpd_lock_t)
files_list_pids($1)
admin_pattern($1, ftpd_var_run_t)
logging_list_logs($1)
admin_pattern($1, xferlog_t)
')

View File

@ -1,5 +1,5 @@
policy_module(ftp, 1.8.0)
policy_module(ftp, 1.8.1)
########################################
#
@ -53,6 +53,9 @@ init_daemon_domain(ftpd_t, ftpd_exec_t)
type ftpd_etc_t;
files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
@ -106,9 +109,10 @@ manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
files_pid_filetrans(ftpd_t, ftpd_var_run_t, file)
files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
@ -123,6 +127,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
kernel_search_network_state(ftpd_t)
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
@ -169,7 +174,9 @@ init_rw_utmp(ftpd_t)
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)

View File

@ -1,5 +1,6 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)

View File

@ -73,3 +73,49 @@ interface(`ldap_stream_connect',`
allow $1 slapd_var_run_t:sock_file write;
allow $1 slapd_t:unix_stream_socket connectto;
')
########################################
## <summary>
## All of the rules required to administrate
## an ldap environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the ldap domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`ldap_admin',`
gen_require(`
type slapd_t, slapd_tmp_t, slapd_replog_t;
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t;
')
allow $1 slapd_t:process { ptrace signal_perms };
ps_process_pattern($1, slapd_t)
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 slapd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, slapd_etc_t)
admin_pattern($1, slapd_lock_t)
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
admin_pattern($1, slapd_tmp_t)
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(ldap, 1.7.0)
policy_module(ldap, 1.7.1)
########################################
#
@ -19,6 +19,9 @@ files_type(slapd_db_t)
type slapd_etc_t;
files_config_file(slapd_etc_t)
type slapd_initrc_exec_t;
init_script_file(slapd_initrc_exec_t)
type slapd_lock_t;
files_lock_file(slapd_lock_t)

View File

@ -0,0 +1,5 @@
/etc/rc\.d/init\.d/memcached -- gen_context(system_u:object_r:memcached_initrc_exec_t,s0)
/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0)
/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)

View File

@ -0,0 +1,73 @@
## <summary>high-performance memory object caching system</summary>
########################################
## <summary>
## Execute a domain transition to run memcached.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`memcached_domtrans',`
gen_require(`
type memcached_t;
type memcached_exec_t;
')
domtrans_pattern($1,memcached_exec_t,memcached_t)
')
########################################
## <summary>
## Read memcached PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`memcached_read_pid_files',`
gen_require(`
type memcached_var_run_t;
')
files_search_pids($1)
allow $1 memcached_var_run_t:file read_file_perms;
')
########################################
## <summary>
## All of the rules required to administrate
## an memcached environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the memcached domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`memcached_admin',`
gen_require(`
type memcached_t;
type memcached_initrc_exec_t;
')
allow $1 memcached_t:process { ptrace signal_perms };
ps_process_pattern($1, memcached_t)
init_labeled_script_domtrans($1, memcached_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 memcached_initrc_exec_t system_r;
allow $2 system_r;
admin_pattern($1, memcached_var_run_t)
')

View File

@ -0,0 +1,50 @@
policy_module(memcached, 1.0.0)
########################################
#
# Declarations
#
type memcached_t;
type memcached_exec_t;
init_daemon_domain(memcached_t, memcached_exec_t)
type memcached_initrc_exec_t;
init_script_file(memcached_initrc_exec_t)
type memcached_var_run_t;
files_pid_file(memcached_var_run_t)
########################################
#
# memcached local policy
#
allow memcached_t self:capability { setuid setgid };
allow memcached_t self:tcp_socket create_stream_socket_perms;
allow memcached_t self:udp_socket { create_socket_perms listen };
allow memcached_t self:fifo_file rw_fifo_file_perms;
corenet_all_recvfrom_unlabeled(memcached_t)
corenet_udp_sendrecv_all_if(memcached_t)
corenet_udp_sendrecv_all_nodes(memcached_t)
corenet_udp_sendrecv_all_ports(memcached_t)
corenet_udp_bind_all_nodes(memcached_t)
corenet_tcp_sendrecv_all_if(memcached_t)
corenet_tcp_sendrecv_all_nodes(memcached_t)
corenet_tcp_sendrecv_all_ports(memcached_t)
corenet_tcp_bind_all_nodes(memcached_t)
manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
files_pid_filetrans(memcached_t,memcached_var_run_t, { file dir })
files_read_etc_files(memcached_t)
libs_use_ld_so(memcached_t)
libs_use_shared_libs(memcached_t)
miscfiles_read_localization(memcached_t)
sysnet_dns_name_resolve(memcached_t)

View File

@ -2,6 +2,7 @@
# /etc
#
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
#
# /usr
@ -11,5 +12,5 @@
#
# /var
#
/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0)
/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)

View File

@ -90,3 +90,44 @@ interface(`openvpn_read_config',`
read_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an openvpn environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the openvpn domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`openvpn_admin',`
gen_require(`
type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
type openvpn_var_run_t, openvpn_initrc_exec_t;
')
allow $1 openvpn_t:process { ptrace signal_perms };
ps_process_pattern($1, openvpn_t)
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, openvpn_etc_t)
logging_list_logs($1)
admin_pattern($1, openvpn_var_log_t)
files_list_pids($1)
admin_pattern($1, openvpn_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(openvpn, 1.5.0)
policy_module(openvpn, 1.5.1)
########################################
#
@ -20,7 +20,10 @@ init_daemon_domain(openvpn_t, openvpn_exec_t)
# configuration files
type openvpn_etc_t;
files_type(openvpn_etc_t)
files_config_file(openvpn_etc_t)
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
# log files
type openvpn_var_log_t;
@ -35,7 +38,7 @@ files_pid_file(openvpn_var_run_t)
# openvpn local policy
#
allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
@ -45,6 +48,7 @@ allow openvpn_t self:tcp_socket server_stream_socket_perms;
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
can_exec(openvpn_t, openvpn_etc_t)
read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
@ -74,9 +78,12 @@ corenet_tcp_bind_all_nodes(openvpn_t)
corenet_udp_bind_all_nodes(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_sendrecv_openvpn_client_packets(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)

View File

@ -1,7 +1,9 @@
/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
#
# /usr
#
/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
#
# /var

View File

@ -28,19 +28,30 @@ interface(`smartmon_read_tmp_files',`
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`smartmon_admin',`
gen_require(`
type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
type fsdaemon_initrc_exec_t;
')
allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, fsdaemon_t)
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fsdaemon_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
manage_files_pattern($1, fsdaemon_tmp_t, fsdaemon_tmp_t)
admin_pattern($1, fsdaemon_tmp_t)
files_list_pids($1)
manage_files_pattern($1, fsdaemon_var_run_t, fsdaemon_var_run_t)
admin_pattern($1, fsdaemon_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(smartmon, 1.6.0)
policy_module(smartmon, 1.6.1)
########################################
#
@ -10,6 +10,9 @@ type fsdaemon_t;
type fsdaemon_exec_t;
init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
type fsdaemon_initrc_exec_t;
init_script_file(fsdaemon_initrc_exec_t)
type fsdaemon_var_run_t;
files_pid_file(fsdaemon_var_run_t)
@ -28,6 +31,7 @@ allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
allow fsdaemon_t self:udp_socket create_socket_perms;
allow fsdaemon_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
@ -78,7 +82,7 @@ logging_send_syslog_msg(fsdaemon_t)
miscfiles_read_localization(fsdaemon_t)
sysnet_read_config(fsdaemon_t)
sysnet_dns_name_resolve(fsdaemon_t)
userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)