trunk: 3 patches from dan.
This commit is contained in:
Chris PeBenito
parent
320ea98330
commit
ce8a5299a8
@ -76,3 +76,40 @@ interface(`zabbix_read_pid_files',`
|
||||
files_search_pids($1)
|
||||
allow $1 zabbix_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an zabbix environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the zabbix domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`zabbix_admin',`
|
||||
gen_require(`
|
||||
type zabbix_t, zabbix_log_t, zabbix_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 zabbix_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, zabbix_t, zabbix_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, zabbix_log_t, zabbix_log_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, zabbix_var_run_t, zabbix_var_run_t)
|
||||
')
|
||||
|
||||
@ -18,6 +18,50 @@ interface(`zebra_read_config',`
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 zebra_conf_t:dir list_dir_perms;
|
||||
read_files_pattern($1,zebra_conf_t,zebra_conf_t)
|
||||
read_lnk_files_pattern($1,zebra_conf_t,zebra_conf_t)
|
||||
read_files_pattern($1, zebra_conf_t, zebra_conf_t)
|
||||
read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an zebra environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the zebra domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`zebra_admin',`
|
||||
gen_require(`
|
||||
type zebra_t, zebra_tmp_t, zebra_log_t;
|
||||
type zebra_conf_t, zebra_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 zebra_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, zebra_t, zebra_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
manage_files_pattern($1, zebra_tmp_t, zebra_tmp_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, zebra_log_t, zebra_log_t)
|
||||
|
||||
files_list_etc($1)
|
||||
manage_files_pattern($1, zebra_conf_t, zebra_conf_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, zebra_var_run_t, zebra_var_run_t)
|
||||
')
|
||||
|
||||
@ -12,11 +12,11 @@ policy_module(zebra,1.6.0)
|
||||
## </p>
|
||||
## </desc>
|
||||
#
|
||||
gen_tunable(allow_zebra_write_config,false)
|
||||
gen_tunable(allow_zebra_write_config, false)
|
||||
|
||||
type zebra_t;
|
||||
type zebra_exec_t;
|
||||
init_daemon_domain(zebra_t,zebra_exec_t)
|
||||
init_daemon_domain(zebra_t, zebra_exec_t)
|
||||
|
||||
type zebra_conf_t;
|
||||
files_type(zebra_conf_t)
|
||||
@ -48,20 +48,20 @@ allow zebra_t self:rawip_socket create_socket_perms;
|
||||
|
||||
allow zebra_t zebra_conf_t:dir list_dir_perms;
|
||||
read_files_pattern(zebra_t,zebra_conf_t,zebra_conf_t)
|
||||
read_lnk_files_pattern(zebra_t,zebra_conf_t,zebra_conf_t)
|
||||
read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
|
||||
|
||||
allow zebra_t zebra_log_t:dir setattr;
|
||||
manage_files_pattern(zebra_t,zebra_log_t,zebra_log_t)
|
||||
manage_sock_files_pattern(zebra_t,zebra_log_t,zebra_log_t)
|
||||
logging_log_filetrans(zebra_t,zebra_log_t,{ sock_file file dir })
|
||||
manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
|
||||
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
|
||||
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
|
||||
|
||||
# /tmp/.bgpd is such a bad idea!
|
||||
allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
|
||||
files_tmp_filetrans(zebra_t,zebra_tmp_t,sock_file)
|
||||
|
||||
manage_files_pattern(zebra_t,zebra_var_run_t,zebra_var_run_t)
|
||||
manage_sock_files_pattern(zebra_t,zebra_var_run_t,zebra_var_run_t)
|
||||
files_pid_filetrans(zebra_t,zebra_var_run_t, { file sock_file })
|
||||
manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
|
||||
manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
|
||||
files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_system_state(zebra_t)
|
||||
kernel_read_kernel_sysctls(zebra_t)
|
||||
@ -115,8 +115,7 @@ userdom_dontaudit_use_unpriv_user_fds(zebra_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(zebra_t)
|
||||
|
||||
tunable_policy(`allow_zebra_write_config',`
|
||||
allow zebra_t zebra_conf_t:dir write;
|
||||
allow zebra_t zebra_conf_t:file write;
|
||||
manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -204,7 +204,7 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
|
||||
define(`getattr_file_perms',`{ getattr }')
|
||||
define(`setattr_file_perms',`{ setattr }')
|
||||
define(`read_file_perms',`{ getattr read lock ioctl }')
|
||||
define(`mmap_file_perms',`{ getattr read execute }')
|
||||
define(`mmap_file_perms',`{ getattr read execute ioctl }')
|
||||
define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
|
||||
define(`append_file_perms',`{ getattr append lock ioctl }')
|
||||
define(`write_file_perms',`{ getattr write append lock ioctl }')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user