trunk: 3 patches from dan.

2008-02-05 17:41:53 +00:00 · 2008-02-05 17:41:53 +00:00 · ce8a5299a8
commit ce8a5299a8
parent 320ea98330
4 changed files with 94 additions and 14 deletions
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@ -76,3 +76,40 @@ interface(`zabbix_read_pid_files',`
 	files_search_pids($1)
 	allow $1 zabbix_var_run_t:file read_file_perms;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an zabbix environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the zabbix domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`zabbix_admin',`
+	gen_require(`
+		type zabbix_t, zabbix_log_t, zabbix_var_run_t;
+	')
+
+	allow $1 zabbix_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, zabbix_t, zabbix_t)
+	        
+	logging_list_logs($1)
+	manage_files_pattern($1, zabbix_log_t, zabbix_log_t)
+
+	files_list_pids($1)
+	manage_files_pattern($1, zabbix_var_run_t, zabbix_var_run_t)
+')
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@ -21,3 +21,47 @@ interface(`zebra_read_config',`
 	read_files_pattern($1, zebra_conf_t, zebra_conf_t)
 	read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an zebra environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the zebra domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`zebra_admin',`
+	gen_require(`
+		type zebra_t, zebra_tmp_t, zebra_log_t;
+		type zebra_conf_t, zebra_var_run_t;
+	')
+
+	allow $1 zebra_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, zebra_t, zebra_t)
+	        
+	files_list_tmp($1)
+	manage_files_pattern($1, zebra_tmp_t, zebra_tmp_t)
+
+	logging_list_logs($1)
+	manage_files_pattern($1, zebra_log_t, zebra_log_t)
+
+	files_list_etc($1)
+	manage_files_pattern($1, zebra_conf_t, zebra_conf_t)
+
+	files_list_pids($1)
+	manage_files_pattern($1, zebra_var_run_t, zebra_var_run_t)
+')
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@ -115,8 +115,7 @@ userdom_dontaudit_use_unpriv_user_fds(zebra_t)
 userdom_dontaudit_search_sysadm_home_dirs(zebra_t)

 tunable_policy(`allow_zebra_write_config',`
-	allow zebra_t zebra_conf_t:dir write;
-	allow zebra_t zebra_conf_t:file write;
+	manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
 ')

 optional_policy(`
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@ -204,7 +204,7 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
 define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
 define(`read_file_perms',`{ getattr read lock ioctl }')
-define(`mmap_file_perms',`{ getattr read execute }')
+define(`mmap_file_perms',`{ getattr read execute ioctl }')
 define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
 define(`append_file_perms',`{ getattr append lock ioctl }')
 define(`write_file_perms',`{ getattr write append lock ioctl }')