rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'master' of ssh://oss.tresys.com/home/git/refpolicy

Browse Source
This commit is contained in:
Chris PeBenito 2009-07-28 08:00:03 -04:00
commit c7ae9ae1c8
6 changed files with 122 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Changelog
View File

@ -38,6 +38,7 @@
ulogd (Dan Walsh) ulogd (Dan Walsh)
varnishd (Dan Walsh) varnishd (Dan Walsh)
webadm (Dan Walsh) webadm (Dan Walsh)
wm (Dan Walsh)
xguest (Dan Walsh) xguest (Dan Walsh)
zosremote (Dan Walsh) zosremote (Dan Walsh)

3
policy/modules/apps/wm.fc Normal file
View File

@ -0,0 +1,3 @@
/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)

98
policy/modules/apps/wm.if Normal file
View File

@ -0,0 +1,98 @@
## <summary>X Window Managers</summary>
#######################################
## <summary>
## The role template for the wm module.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for window manager applications.
## </p>
## </desc>
## <param name="role_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
template(`wm_role_template',`
gen_require(`
type wm_exec_t;
')
type $1_wm_t;
domain_type($1_wm_t)
domain_entry_file($1_wm_t, wm_exec_t)
role $2 types $1_wm_t;
allow $1_wm_t self:fifo_file rw_fifo_file_perms;
allow $1_wm_t self:process getsched;
allow $1_wm_t self:shm create_shm_perms;
allow $1_wm_t $3:unix_stream_socket connectto;
domtrans_pattern($3, wm_exec_t, $1_wm_t)
kernel_read_system_state($1_wm_t)
corecmd_bin_domtrans($1_wm_t, $3)
corecmd_shell_domtrans($1_wm_t, $3)
dev_read_urand($1_wm_t)
files_read_etc_files($1_wm_t)
files_read_usr_files($1_wm_t)
mls_file_read_all_levels($1_wm_t)
mls_file_write_all_levels($1_wm_t)
mls_xwin_read_all_levels($1_wm_t)
mls_xwin_write_all_levels($1_wm_t)
mls_fd_use_all_levels($1_wm_t)
auth_use_nsswitch($1_wm_t)
miscfiles_read_fonts($1_wm_t)
miscfiles_read_localization($1_wm_t)
userdom_manage_home_role($2, $1_wm_t)
userdom_manage_tmpfs_role($2, $1_wm_t)
userdom_manage_tmp_role($2, $1_wm_t)
optional_policy(`
dbus_system_bus_client($1_wm_t)
')
optional_policy(`
xserver_role($2, $1_wm_t)
')
')
########################################
## <summary>
## Execute the wm program in the wm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`wm_exec',`
gen_require(`
type wm_exec_t;
')
can_exec($1, wm_exec_t)
')

10
policy/modules/apps/wm.te Normal file
View File

@ -0,0 +1,10 @@
policy_module(wm, 1.0.0)
########################################
#
# Declarations
#
type wm_exec_t;
corecmd_executable_file(wm_exec_t)

2
policy/modules/services/snort.if
View File

@ -38,7 +38,7 @@ interface(`snort_domtrans',`
interface(`snort_admin',` interface(`snort_admin',`
gen_require(` gen_require(`
type snort_t, snort_var_run_t, snort_log_t; type snort_t, snort_var_run_t, snort_log_t;
type snort_initrc_exec_t; type snort_etc_t, snort_initrc_exec_t;
') ')
allow $1 snort_t:process { ptrace signal_perms }; allow $1 snort_t:process { ptrace signal_perms };

10
policy/modules/services/snort.te
View File

@ -1,5 +1,5 @@
policy_module(snort, 1.7.1) policy_module(snort, 1.7.2)
######################################## ########################################
# #
@ -56,6 +56,7 @@ manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t)
files_pid_filetrans(snort_t, snort_var_run_t, file) files_pid_filetrans(snort_t, snort_var_run_t, file)
kernel_read_kernel_sysctls(snort_t) kernel_read_kernel_sysctls(snort_t)
kernel_read_sysctl(snort_t)
kernel_list_proc(snort_t) kernel_list_proc(snort_t)
kernel_read_proc_symlinks(snort_t) kernel_read_proc_symlinks(snort_t)
kernel_dontaudit_read_system_state(snort_t) kernel_dontaudit_read_system_state(snort_t)
@ -70,6 +71,7 @@ corenet_udp_sendrecv_generic_node(snort_t)
corenet_raw_sendrecv_generic_node(snort_t) corenet_raw_sendrecv_generic_node(snort_t)
corenet_tcp_sendrecv_all_ports(snort_t) corenet_tcp_sendrecv_all_ports(snort_t)
corenet_udp_sendrecv_all_ports(snort_t) corenet_udp_sendrecv_all_ports(snort_t)
corenet_tcp_connect_prelude_port(snort_t)
dev_read_sysfs(snort_t) dev_read_sysfs(snort_t)
dev_read_rand(snort_t) dev_read_rand(snort_t)
@ -90,10 +92,16 @@ logging_send_syslog_msg(snort_t)
miscfiles_read_localization(snort_t) miscfiles_read_localization(snort_t)
sysnet_read_config(snort_t) sysnet_read_config(snort_t)
# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
sysnet_dns_name_resolve(snort_t)
userdom_dontaudit_use_unpriv_user_fds(snort_t) userdom_dontaudit_use_unpriv_user_fds(snort_t)
userdom_dontaudit_search_user_home_dirs(snort_t) userdom_dontaudit_search_user_home_dirs(snort_t)
optional_policy(`
prelude_manage_spool(snort_t)
')
optional_policy(` optional_policy(`
seutil_sigchld_newrole(snort_t) seutil_sigchld_newrole(snort_t)
') ')