Additional interfaces in corecommands, miscfiles, and userdomain from Joy Latten.

This commit is contained in:
Chris PeBenito 2006-03-24 18:59:51 +00:00
parent 8b2d5ca6db
commit d42c7ede2a
7 changed files with 209 additions and 4 deletions

View File

@ -1,3 +1,5 @@
- Additional interfaces in corecommands, miscfiles, and userdomain
from Joy Latten.
- Miscellaneous fixes from Thomas Bleher.
- Deprecate module name as first parameter of optional_policy()
now that optionals are allowed everywhere.

View File

@ -39,6 +39,42 @@ interface(`corecmd_bin_alias',`
')
')
########################################
## <summary>
## Make general progams in bin an entrypoint for
## the specified domain.
## </summary>
## <param name="domain">
## <summary>
## The domain for which bin_t is an entrypoint.
## </summary>
## </param>
interface(`corecmd_bin_entry_type',`
gen_require(`
type bin_t;
')
domain_entry_file($1,bin_t)
')
########################################
## <summary>
## Make general progams in sbin an entrypoint for
## the specified domain.
## </summary>
## <param name="domain">
## <summary>
## The domain for which sbin programs are an entrypoint.
## </summary>
## </param>
interface(`corecmd_sbin_entry_type',`
gen_require(`
type sbin_t;
')
domain_entry_file($1,sbin_t)
')
########################################
## <summary>
## Make the shell an entrypoint for the specified domain.
@ -779,4 +815,3 @@ interface(`corecmd_exec_chroot',`
can_exec($1,chroot_exec_t)
allow $1 self:capability sys_chroot;
')

View File

@ -1,5 +1,5 @@
policy_module(corecommands,1.3.4)
policy_module(corecommands,1.3.5)
########################################
#

View File

@ -303,3 +303,62 @@ interface(`miscfiles_exec_tetex_data',`
allow $1 tetex_data_t:dir r_dir_perms;
can_exec($1,tetex_data_t)
')
########################################
## <summary>
## Let test files be an entry point for
## a specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain to be entered.
## </summary>
## </param>
#
interface(`miscfiles_domain_entry_test_files',`
gen_require(`
type test_file_t;
')
domain_entry_file($1, test_file_t)
')
########################################
## <summary>
## Read test files and directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_test_files',`
gen_require(`
type test_file_t;
')
allow $1 test_file_t:dir r_dir_perms;
allow $1 test_file_t:file r_file_perms;
allow $1 test_file_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Execute test files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_exec_test_files',`
gen_require(`
type test_file_t;
')
allow $1 test_file_t:dir r_dir_perms;
allow $1 test_file_t:lnk_file r_file_perms;
can_exec($1, test_file_t)
')

View File

@ -1,5 +1,5 @@
policy_module(miscfiles,1.0.0)
policy_module(miscfiles,1.0.1)
########################################
#

View File

@ -3239,6 +3239,115 @@ interface(`userdom_entry_spec_domtrans_sysadm',`
allow sysadm_t $1:process sigchld;
')
########################################
## <summary>
## Allow sysadm to execute a generic bin program in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
## </summary>
## <desc>
## <p>
## Allow sysadm to execute a generic bin program in
## a specified domain.
## </p>
## <p>
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to execute in.
## </summary>
## </param>
#
interface(`userdom_sysadm_bin_spec_domtrans_to',`
gen_require(`
type sysadm_t;
')
corecmd_bin_spec_domtrans(sysadm_t,$1)
allow sysadm_t $1:fd use;
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
')
########################################
## <summary>
## Allow sysadm to execute a generic sbin program in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
## </summary>
## <desc>
## <p>
## Allow sysadm to execute a generic sbin program in
## a specified domain.
## </p>
## <p>
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to execute in.
## </summary>
## </param>
#
interface(`userdom_sysadm_sbin_spec_domtrans_to',`
gen_require(`
type sysadm_t;
')
corecmd_sbin_spec_domtrans(sysadm_t, $1)
allow sysadm_t $1:fd use;
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
')
########################################
## <summary>
## Allow sysadm to execute all entrypoint files
## in the specified domain. This is an explicit
## transition, requiring the caller to use setexeccon().
## </summary>
## <desc>
## <p>
## Allow sysadm to execute all entrypoint files
## in the specified domain. This is an explicit
## transition, requiring the caller to use setexeccon().
## </p>
## <p>
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to execute in.
## </summary>
## </param>
#
interface(`userdom_sysadm_entry_spec_domtrans_to',`
gen_require(`
type sysadm_t;
')
domain_entry_file_spec_domtrans(sysadm_t, $1)
allow sysadm_t $1:fd use;
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
')
########################################
## <summary>
## Search the staff users home directory.

View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.3.5)
policy_module(userdomain,1.3.6)
gen_require(`
role sysadm_r, staff_r, user_r;