This commit is contained in:
Chris PeBenito 2005-08-05 14:32:12 +00:00
parent 3fd8336882
commit 9a66d4e562
6 changed files with 209 additions and 0 deletions

View File

@ -4,6 +4,7 @@
* Rename inetd connect interface for consistency.
* Misc. cleanups.
* Added policies:
acct
mysql
20050802 (2 Aug 2005)

View File

@ -0,0 +1,8 @@
/etc/cron\.(daily|monthly)/acct -- context_template(system_u:object_r:acct_exec_t,s0)
/sbin/accton -- context_template(system_u:object_r:acct_exec_t,s0)
/usr/sbin/accton -- context_template(system_u:object_r:acct_exec_t,s0)
/var/account(/.*)? context_template(system_u:object_r:acct_data_t,s0)

View File

@ -0,0 +1,84 @@
## <summary>Berkeley process accounting</summary>
########################################
## <summary>
## Transition to the accounting management domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`acct_domtrans',`
gen_require(`
type acct_t, acct_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
domain_auto_trans($1,acct_exec_t,acct_t)
allow $1 acct_t:fd use;
allow acct_t $1:fd use;
allow acct_t $1:fifo_file rw_file_perms;
allow acct_t $1:process sigchld;
')
########################################
## <summary>
## Execute accounting management tools in the caller domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`acct_exec',`
gen_require(`
type acct_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,acct_exec_t)
')
########################################
## <summary>
## Execute accounting management data in the caller domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
# cjp: this is added for logrotate, and does
# not make sense to me.
interface(`acct_exec_data',`
gen_require(`
type acct_data_t;
')
files_search_var($1)
can_exec($1,acct_data_t)
')
########################################
## <summary>
## Create, read, write, and delete process accounting data.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`acct_manage_data',`
gen_require(`
type acct_data_t;
class dir rw_dir_perms;
class file create_file_perms;
class lnk_file create_lnk_perms;
')
files_search_var($1)
allow $1 acct_data_t:dir rw_dir_perms;
allow $1 acct_data_t:file create_file_perms;
allow $1 acct_data_t:lnk_file create_lnk_perms;
')

View File

@ -0,0 +1,98 @@
policy_module(acct,1.0)
########################################
#
# Declarations
#
type acct_t;
type acct_exec_t;
init_daemon_domain(acct_t,acct_exec_t)
type acct_data_t;
files_type(acct_data_t)
########################################
#
# Local Policy
#
# gzip needs chown capability for some reason
allow acct_t self:capability { sys_pacct chown fsetid };
# not sure why we need kill, the command "last" is reported as using it
dontaudit acct_t self:capability { kill sys_tty_config };
allow acct_t self:fifo_file { read write getattr };
allow acct_t self:process signal_perms;
allow acct_t acct_data_t:dir rw_dir_perms;
allow acct_t acct_data_t:file create_file_perms;
allow acct_t acct_data_t:lnk_file create_lnk_perms;
can_exec(acct_t,acct_exec_t)
kernel_list_proc(acct_t)
kernel_read_system_state(acct_t)
kernel_read_kernel_sysctl(acct_t)
dev_read_sysfs(acct_t)
# for SSP
dev_read_urand(acct_t)
fs_search_auto_mountpoints(acct_t)
fs_getattr_xattr_fs(acct_t)
term_dontaudit_use_console(acct_t)
corecmd_exec_bin(acct_t)
corecmd_exec_shell(acct_t)
domain_use_wide_inherit_fd(acct_t)
files_read_etc_files(acct_t)
files_read_etc_runtime_files(acct_t)
# for nscd
files_dontaudit_getattr_pid_dir(acct_t)
init_use_fd(acct_t)
init_use_script_pty(acct_t)
init_exec_script(acct_t)
libs_use_ld_so(acct_t)
libs_use_shared_libs(acct_t)
logging_send_syslog_msg(acct_t)
miscfiles_read_localization(acct_t)
userdom_dontaudit_search_sysadm_home_dir(acct_t)
userdom_dontaudit_use_unpriv_user_fd(acct_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(acct_t)
term_dontaudit_use_generic_pty(acct_t)
files_dontaudit_read_root_file(acct_t)
')
optional_policy(`cron.te',`
optional_policy(`authlogin.te',`
# for monthly cron job
auth_create_login_records(acct_t)
auth_manage_login_records(acct_t)
')
cron_system_entry(acct_t,acct_exec_t)
')
optional_policy(`rhgb.te',`
rhgb_domain(acct_t)
')
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(acct_t)
')
optional_policy(`udev.te', `
udev_read_db(acct_t)
')

View File

@ -113,6 +113,12 @@ ifdef(`distro_debian', `
can_exec(logrotate_t, logrotate_exec_t)
')
optional_policy(`acct.te',`
acct_domtrans(logrotate_t)
acct_manage_data(logrotate_t)
acct_exec_data(logrotate_t)
')
optional_policy(`consoletype.te',`
consoletype_exec(logrotate_t)

View File

@ -669,6 +669,18 @@ interface(`auth_rw_login_records',`
logging_search_logs($1)
')
#######################################
#
# auth_create_login_records(domain)
#
interface(`auth_create_login_records',`
gen_require(`
type wtmp_t;
')
logging_create_log($1,wtmp_t,file)
')
#######################################
#
# auth_manage_login_records(domain)