trunk: 8 patches from dan.
This commit is contained in:
parent
e87221cefe
commit
967fd1ba3f
@ -14,6 +14,7 @@
|
||||
named pipe. Updated init_telinit() to match.
|
||||
- Added modules:
|
||||
cyphesis (Dan Walsh)
|
||||
memcached (Dan Walsh)
|
||||
oident (Dominick Grift)
|
||||
w3c (Dan Walsh)
|
||||
|
||||
|
@ -1,8 +1,10 @@
|
||||
|
||||
/etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
|
||||
/etc/amavisd(/.*)? -- gen_context(system_u:object_r:amavis_etc_t,s0)
|
||||
/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0)
|
||||
/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
|
||||
/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
|
||||
|
@ -197,6 +197,11 @@ interface(`amavis_create_pid_files',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`amavis_admin',`
|
||||
@ -204,28 +209,34 @@ interface(`amavis_admin',`
|
||||
type amavis_t, amavis_tmp_t, amavis_var_log_t;
|
||||
type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
|
||||
type amavis_etc_t, amavis_quarantine_t;
|
||||
type amavis_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 amavis_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, amavis_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
manage_files_pattern($1, amavis_tmp_t, amavis_tmp_t)
|
||||
|
||||
manage_files_pattern($1, amavis_quarantine_t, amavis_quarantine_t)
|
||||
init_labeled_script_domtrans($1, amavis_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 amavis_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
manage_files_pattern($1, amavis_etc_t, amavis_etc_t)
|
||||
admin_pattern($1, amavis_etc_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, amavis_var_log_t, amavis_var_log_t)
|
||||
admin_pattern($1, amavis_quarantine_t)
|
||||
|
||||
files_list_spool($1)
|
||||
manage_files_pattern($1, amavis_spool_t, amavis_spool_t)
|
||||
admin_pattern($1, amavis_spool_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, amavis_tmp_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
|
||||
admin_pattern($1, amavis_var_lib_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, amavis_var_log_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, amavis_var_run_t, amavis_var_run_t)
|
||||
admin_pattern($1, amavis_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(amavis, 1.7.0)
|
||||
policy_module(amavis, 1.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -13,7 +13,10 @@ init_daemon_domain(amavis_t, amavis_exec_t)
|
||||
|
||||
# configuration files
|
||||
type amavis_etc_t;
|
||||
files_type(amavis_etc_t)
|
||||
files_config_file(amavis_etc_t)
|
||||
|
||||
type amavis_initrc_exec_t;
|
||||
init_script_file(amavis_initrc_exec_t)
|
||||
|
||||
# pid files
|
||||
type amavis_var_run_t;
|
||||
@ -57,6 +60,8 @@ allow amavis_t amavis_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
|
||||
read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
|
||||
|
||||
can_exec(amavis_t, amavis_exec_t)
|
||||
|
||||
# mail quarantine
|
||||
manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
|
||||
manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
|
||||
|
@ -2,6 +2,7 @@
|
||||
# /etc
|
||||
#
|
||||
/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
@ -12,4 +13,4 @@
|
||||
# /var
|
||||
#
|
||||
|
||||
/var/run/autofs(/.*)? gen_context(system_u:object_r:automount_var_run_t,s0)
|
||||
/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
|
||||
|
@ -56,6 +56,42 @@ interface(`automount_read_state',`
|
||||
read_files_pattern($1, automount_t, automount_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to file descriptors for automount.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`automount_dontaudit_use_fds',`
|
||||
gen_require(`
|
||||
type automount_t;
|
||||
')
|
||||
|
||||
dontaudit $1 automount_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to write automount daemon unnamed pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`automount_dontaudit_write_pipes',`
|
||||
gen_require(`
|
||||
type automount_t;
|
||||
')
|
||||
|
||||
dontaudit $1 automount_t:fifo_file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
@ -74,3 +110,44 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
|
||||
|
||||
dontaudit $1 automount_tmp_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an automount environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the automount domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`automount_admin',`
|
||||
gen_require(`
|
||||
type automount_t, automount_lock_t, automount_tmp_t;
|
||||
type automount_var_run_t, automount_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 automount_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, automount_t)
|
||||
|
||||
init_labeled_script_domtrans($1, automount_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 automount_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_var($1)
|
||||
admin_pattern($1, automount_lock_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, automount_tmp_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, automount_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(automount, 1.9.0)
|
||||
policy_module(automount, 1.9.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,9 @@ type automount_t;
|
||||
type automount_exec_t;
|
||||
init_daemon_domain(automount_t, automount_exec_t)
|
||||
|
||||
type automount_initrc_exec_t;
|
||||
init_script_file(automount_initrc_exec_t)
|
||||
|
||||
type automount_var_run_t;
|
||||
files_pid_file(automount_var_run_t)
|
||||
|
||||
@ -35,8 +38,6 @@ allow automount_t self:tcp_socket create_stream_socket_perms;
|
||||
allow automount_t self:udp_socket create_socket_perms;
|
||||
allow automount_t self:rawip_socket create_socket_perms;
|
||||
|
||||
allow automount_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
can_exec(automount_t, automount_exec_t)
|
||||
|
||||
allow automount_t automount_lock_t:file manage_file_perms;
|
||||
@ -52,7 +53,8 @@ files_home_filetrans(automount_t, automount_tmp_t, dir)
|
||||
files_root_filetrans(automount_t, automount_tmp_t, dir)
|
||||
|
||||
manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
|
||||
files_pid_filetrans(automount_t, automount_var_run_t, file)
|
||||
manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
|
||||
files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
|
||||
|
||||
kernel_read_kernel_sysctls(automount_t)
|
||||
kernel_read_irq_sysctls(automount_t)
|
||||
@ -126,8 +128,12 @@ fs_unmount_autofs(automount_t)
|
||||
fs_mount_autofs(automount_t)
|
||||
fs_manage_autofs_symlinks(automount_t)
|
||||
|
||||
storage_rw_fuse(automount_t)
|
||||
|
||||
term_dontaudit_getattr_pty_dirs(automount_t)
|
||||
|
||||
auth_use_nsswitch(automount_t)
|
||||
|
||||
libs_use_ld_so(automount_t)
|
||||
libs_use_shared_libs(automount_t)
|
||||
|
||||
@ -140,10 +146,6 @@ miscfiles_read_certs(automount_t)
|
||||
# Run mount in the mount_t domain.
|
||||
mount_domtrans(automount_t)
|
||||
|
||||
sysnet_dns_name_resolve(automount_t)
|
||||
sysnet_use_ldap(automount_t)
|
||||
sysnet_read_config(automount_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(automount_t)
|
||||
|
||||
sysadm_dontaudit_search_home_dirs(automount_t)
|
||||
@ -163,11 +165,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(automount_t)
|
||||
rpc_search_nfs_state_data(automount_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpc_search_nfs_state_data(automount_t)
|
||||
samba_read_config(automount_t)
|
||||
samba_manage_var_files(automount_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -3,6 +3,8 @@
|
||||
#
|
||||
/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
|
||||
/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
|
@ -28,11 +28,13 @@ template(`ftp_per_role_template',`
|
||||
type ftpd_t;
|
||||
')
|
||||
|
||||
userdom_manage_user_home_content_files($1, ftpd_t)
|
||||
userdom_manage_user_home_content_symlinks($1, ftpd_t)
|
||||
userdom_manage_user_home_content_sockets($1, ftpd_t)
|
||||
userdom_manage_user_home_content_pipes($1, ftpd_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file })
|
||||
tunable_policy(`ftp_home_dir',`
|
||||
userdom_manage_user_home_content_files($1, ftpd_t)
|
||||
userdom_manage_user_home_content_symlinks($1, ftpd_t)
|
||||
userdom_manage_user_home_content_sockets($1, ftpd_t)
|
||||
userdom_manage_user_home_content_pipes($1, ftpd_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file })
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -155,3 +157,62 @@ interface(`ftp_run_ftpdctl',`
|
||||
role $2 types ftpdctl_t;
|
||||
allow ftpdctl_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an ftp environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the ftp domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the ftpdctl domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`ftp_admin',`
|
||||
gen_require(`
|
||||
type ftpd_t, ftpdctl_t, ftpd_tmp_t;
|
||||
type ftpd_etc_t, ftpd_lock_t;
|
||||
type ftpd_var_run_t, xferlog_t;
|
||||
type ftpd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 ftpd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, ftpd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 ftpd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
ps_process_pattern($1, ftpdctl_t)
|
||||
ftp_run_ftpdctl($1, $2, $3)
|
||||
|
||||
miscfiles_manage_public_files($1)
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, ftpd_tmp_t)
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, ftpd_etc_t)
|
||||
|
||||
files_list_var($1)
|
||||
admin_pattern($1, ftpd_lock_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, ftpd_var_run_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, xferlog_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ftp, 1.8.0)
|
||||
policy_module(ftp, 1.8.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -53,6 +53,9 @@ init_daemon_domain(ftpd_t, ftpd_exec_t)
|
||||
type ftpd_etc_t;
|
||||
files_config_file(ftpd_etc_t)
|
||||
|
||||
type ftpd_initrc_exec_t;
|
||||
init_script_file(ftpd_initrc_exec_t)
|
||||
|
||||
type ftpd_lock_t;
|
||||
files_lock_file(ftpd_lock_t)
|
||||
|
||||
@ -106,9 +109,10 @@ manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
||||
manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
||||
fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||
files_pid_filetrans(ftpd_t, ftpd_var_run_t, file)
|
||||
files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
|
||||
|
||||
# proftpd requires the client side to bind a socket so that
|
||||
# it can stat the socket to perform access control decisions,
|
||||
@ -123,6 +127,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
|
||||
|
||||
kernel_read_kernel_sysctls(ftpd_t)
|
||||
kernel_read_system_state(ftpd_t)
|
||||
kernel_search_network_state(ftpd_t)
|
||||
|
||||
dev_read_sysfs(ftpd_t)
|
||||
dev_read_urand(ftpd_t)
|
||||
@ -169,7 +174,9 @@ init_rw_utmp(ftpd_t)
|
||||
libs_use_ld_so(ftpd_t)
|
||||
libs_use_shared_libs(ftpd_t)
|
||||
|
||||
logging_send_audit_msgs(ftpd_t)
|
||||
logging_send_syslog_msg(ftpd_t)
|
||||
logging_set_loginuid(ftpd_t)
|
||||
|
||||
miscfiles_read_localization(ftpd_t)
|
||||
miscfiles_read_public_files(ftpd_t)
|
||||
|
@ -1,5 +1,6 @@
|
||||
|
||||
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
|
||||
/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
|
||||
|
||||
|
@ -73,3 +73,49 @@ interface(`ldap_stream_connect',`
|
||||
allow $1 slapd_var_run_t:sock_file write;
|
||||
allow $1 slapd_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an ldap environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the ldap domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`ldap_admin',`
|
||||
gen_require(`
|
||||
type slapd_t, slapd_tmp_t, slapd_replog_t;
|
||||
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
|
||||
type slapd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 slapd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, slapd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 slapd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, slapd_etc_t)
|
||||
|
||||
admin_pattern($1, slapd_lock_t)
|
||||
|
||||
admin_pattern($1, slapd_replog_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, slapd_tmp_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, slapd_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ldap, 1.7.0)
|
||||
policy_module(ldap, 1.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -19,6 +19,9 @@ files_type(slapd_db_t)
|
||||
type slapd_etc_t;
|
||||
files_config_file(slapd_etc_t)
|
||||
|
||||
type slapd_initrc_exec_t;
|
||||
init_script_file(slapd_initrc_exec_t)
|
||||
|
||||
type slapd_lock_t;
|
||||
files_lock_file(slapd_lock_t)
|
||||
|
||||
|
5
policy/modules/services/memcached.fc
Normal file
5
policy/modules/services/memcached.fc
Normal file
@ -0,0 +1,5 @@
|
||||
/etc/rc\.d/init\.d/memcached -- gen_context(system_u:object_r:memcached_initrc_exec_t,s0)
|
||||
|
||||
/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0)
|
||||
|
||||
/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
|
73
policy/modules/services/memcached.if
Normal file
73
policy/modules/services/memcached.if
Normal file
@ -0,0 +1,73 @@
|
||||
## <summary>high-performance memory object caching system</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run memcached.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`memcached_domtrans',`
|
||||
gen_require(`
|
||||
type memcached_t;
|
||||
type memcached_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1,memcached_exec_t,memcached_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read memcached PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`memcached_read_pid_files',`
|
||||
gen_require(`
|
||||
type memcached_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 memcached_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an memcached environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the memcached domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`memcached_admin',`
|
||||
gen_require(`
|
||||
type memcached_t;
|
||||
type memcached_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 memcached_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, memcached_t)
|
||||
|
||||
init_labeled_script_domtrans($1, memcached_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 memcached_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
admin_pattern($1, memcached_var_run_t)
|
||||
')
|
50
policy/modules/services/memcached.te
Normal file
50
policy/modules/services/memcached.te
Normal file
@ -0,0 +1,50 @@
|
||||
|
||||
policy_module(memcached, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type memcached_t;
|
||||
type memcached_exec_t;
|
||||
init_daemon_domain(memcached_t, memcached_exec_t)
|
||||
|
||||
type memcached_initrc_exec_t;
|
||||
init_script_file(memcached_initrc_exec_t)
|
||||
|
||||
type memcached_var_run_t;
|
||||
files_pid_file(memcached_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# memcached local policy
|
||||
#
|
||||
|
||||
allow memcached_t self:capability { setuid setgid };
|
||||
allow memcached_t self:tcp_socket create_stream_socket_perms;
|
||||
allow memcached_t self:udp_socket { create_socket_perms listen };
|
||||
allow memcached_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
corenet_all_recvfrom_unlabeled(memcached_t)
|
||||
corenet_udp_sendrecv_all_if(memcached_t)
|
||||
corenet_udp_sendrecv_all_nodes(memcached_t)
|
||||
corenet_udp_sendrecv_all_ports(memcached_t)
|
||||
corenet_udp_bind_all_nodes(memcached_t)
|
||||
corenet_tcp_sendrecv_all_if(memcached_t)
|
||||
corenet_tcp_sendrecv_all_nodes(memcached_t)
|
||||
corenet_tcp_sendrecv_all_ports(memcached_t)
|
||||
corenet_tcp_bind_all_nodes(memcached_t)
|
||||
|
||||
manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
|
||||
manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
|
||||
files_pid_filetrans(memcached_t,memcached_var_run_t, { file dir })
|
||||
|
||||
files_read_etc_files(memcached_t)
|
||||
|
||||
libs_use_ld_so(memcached_t)
|
||||
libs_use_shared_libs(memcached_t)
|
||||
|
||||
miscfiles_read_localization(memcached_t)
|
||||
|
||||
sysnet_dns_name_resolve(memcached_t)
|
@ -2,6 +2,7 @@
|
||||
# /etc
|
||||
#
|
||||
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
|
||||
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
@ -11,5 +12,5 @@
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0)
|
||||
/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
|
||||
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
|
||||
|
@ -90,3 +90,44 @@ interface(`openvpn_read_config',`
|
||||
read_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
|
||||
read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an openvpn environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the openvpn domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`openvpn_admin',`
|
||||
gen_require(`
|
||||
type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
|
||||
type openvpn_var_run_t, openvpn_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 openvpn_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, openvpn_t)
|
||||
|
||||
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 openvpn_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, openvpn_etc_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, openvpn_var_log_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, openvpn_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(openvpn, 1.5.0)
|
||||
policy_module(openvpn, 1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -20,7 +20,10 @@ init_daemon_domain(openvpn_t, openvpn_exec_t)
|
||||
|
||||
# configuration files
|
||||
type openvpn_etc_t;
|
||||
files_type(openvpn_etc_t)
|
||||
files_config_file(openvpn_etc_t)
|
||||
|
||||
type openvpn_initrc_exec_t;
|
||||
init_script_file(openvpn_initrc_exec_t)
|
||||
|
||||
# log files
|
||||
type openvpn_var_log_t;
|
||||
@ -35,7 +38,7 @@ files_pid_file(openvpn_var_run_t)
|
||||
# openvpn local policy
|
||||
#
|
||||
|
||||
allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
|
||||
allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
|
||||
allow openvpn_t self:process { signal getsched };
|
||||
|
||||
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
@ -45,6 +48,7 @@ allow openvpn_t self:tcp_socket server_stream_socket_perms;
|
||||
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
|
||||
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
|
||||
can_exec(openvpn_t, openvpn_etc_t)
|
||||
read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
|
||||
read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
|
||||
|
||||
@ -74,9 +78,12 @@ corenet_tcp_bind_all_nodes(openvpn_t)
|
||||
corenet_udp_bind_all_nodes(openvpn_t)
|
||||
corenet_tcp_bind_openvpn_port(openvpn_t)
|
||||
corenet_udp_bind_openvpn_port(openvpn_t)
|
||||
corenet_sendrecv_openvpn_server_packets(openvpn_t)
|
||||
corenet_rw_tun_tap_dev(openvpn_t)
|
||||
corenet_tcp_connect_openvpn_port(openvpn_t)
|
||||
corenet_tcp_connect_http_port(openvpn_t)
|
||||
corenet_rw_tun_tap_dev(openvpn_t)
|
||||
corenet_sendrecv_openvpn_server_packets(openvpn_t)
|
||||
corenet_sendrecv_openvpn_client_packets(openvpn_t)
|
||||
corenet_sendrecv_http_client_packets(openvpn_t)
|
||||
|
||||
dev_search_sysfs(openvpn_t)
|
||||
dev_read_rand(openvpn_t)
|
||||
|
@ -1,7 +1,9 @@
|
||||
/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
|
||||
/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
|
||||
|
||||
#
|
||||
# /var
|
||||
|
@ -28,19 +28,30 @@ interface(`smartmon_read_tmp_files',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`smartmon_admin',`
|
||||
gen_require(`
|
||||
type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
|
||||
type fsdaemon_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, fsdaemon_t)
|
||||
|
||||
|
||||
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 fsdaemon_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_tmp($1)
|
||||
manage_files_pattern($1, fsdaemon_tmp_t, fsdaemon_tmp_t)
|
||||
admin_pattern($1, fsdaemon_tmp_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, fsdaemon_var_run_t, fsdaemon_var_run_t)
|
||||
admin_pattern($1, fsdaemon_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(smartmon, 1.6.0)
|
||||
policy_module(smartmon, 1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,9 @@ type fsdaemon_t;
|
||||
type fsdaemon_exec_t;
|
||||
init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
|
||||
|
||||
type fsdaemon_initrc_exec_t;
|
||||
init_script_file(fsdaemon_initrc_exec_t)
|
||||
|
||||
type fsdaemon_var_run_t;
|
||||
files_pid_file(fsdaemon_var_run_t)
|
||||
|
||||
@ -28,6 +31,7 @@ allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
|
||||
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
|
||||
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow fsdaemon_t self:udp_socket create_socket_perms;
|
||||
allow fsdaemon_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
|
||||
manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
|
||||
@ -78,7 +82,7 @@ logging_send_syslog_msg(fsdaemon_t)
|
||||
|
||||
miscfiles_read_localization(fsdaemon_t)
|
||||
|
||||
sysnet_read_config(fsdaemon_t)
|
||||
sysnet_dns_name_resolve(fsdaemon_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user