trunk: Database labeled networking update from KaiGai Kohei.

This commit is contained in:
Chris PeBenito 2008-07-25 04:07:09 +00:00
parent 6224fc1485
commit dc1920b218
9 changed files with 79 additions and 10 deletions

View File

@ -1,3 +1,4 @@
- Database labeled networking update from KaiGai Kohei.
- Several misc changes from the Fedora policy, cherry picked by David - Several misc changes from the Fedora policy, cherry picked by David
Hrdeman. Hrdeman.
- Large whitespace fix from Dominick Grift. - Large whitespace fix from Dominick Grift.

View File

@ -189,10 +189,6 @@ template(`apache_content_template',`
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t) corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
corenet_udp_sendrecv_all_ports(httpd_$1_script_t) corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
sysnet_read_config(httpd_$1_script_t) sysnet_read_config(httpd_$1_script_t)
') ')
@ -219,6 +215,12 @@ template(`apache_content_template',`
mta_send_mail(httpd_$1_script_t) mta_send_mail(httpd_$1_script_t)
') ')
optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_$1_script_t)
')
')
optional_policy(` optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',` tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t) nis_use_ypbind_uncond(httpd_$1_script_t)
@ -227,6 +229,10 @@ template(`apache_content_template',`
optional_policy(` optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t) postgresql_unpriv_client(httpd_$1_script_t)
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_$1_script_t)
')
') ')
optional_policy(` optional_policy(`

View File

@ -1,5 +1,5 @@
policy_module(apache, 1.10.0) policy_module(apache, 1.10.1)
# #
# NOTES: # NOTES:
@ -459,8 +459,7 @@ optional_policy(`
mysql_rw_db_sockets(httpd_t) mysql_rw_db_sockets(httpd_t)
tunable_policy(`httpd_can_network_connect_db',` tunable_policy(`httpd_can_network_connect_db',`
corenet_tcp_connect_mysqld_port(httpd_t) mysql_tcp_connect(httpd_t)
corenet_sendrecv_mysqld_client_packets(httpd_t)
') ')
') ')

View File

@ -18,6 +18,27 @@ interface(`mysql_signal',`
allow $1 mysqld_t:process signal; allow $1 mysqld_t:process signal;
') ')
########################################
## <summary>
## Allow the specified domain to connect to postgresql with a tcp socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mysql_tcp_connect',`
gen_require(`
type mysqld_t;
')
corenet_tcp_recvfrom_labeled($1, mysqld_t)
corenet_tcp_sendrecv_mysqld_port($1)
corenet_tcp_connect_mysqld_port($1)
corenet_sendrecv_mysqld_client_packets($1)
')
######################################## ########################################
## <summary> ## <summary>
## Connect to MySQL using a unix domain stream socket. ## Connect to MySQL using a unix domain stream socket.

View File

@ -1,5 +1,5 @@
policy_module(mysql, 1.8.0) policy_module(mysql, 1.8.1)
######################################## ########################################
# #

View File

@ -1283,3 +1283,38 @@ interface(`init_manage_utmp',`
files_search_pids($1) files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms; allow $1 initrc_var_run_t:file manage_file_perms;
') ')
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_tcp_recvfrom_all_daemons',`
gen_require(`
attribute daemon;
')
corenet_tcp_recvfrom_labeled($1, daemon)
')
########################################
## <summary>
## Allow the specified domain to connect to daemon with a udp socket
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_udp_recvfrom_all_daemons',`
gen_require(`
attribute daemon;
')
corenet_udp_recvfrom_labeled($1, daemon)
')

View File

@ -1,5 +1,5 @@
policy_module(init, 1.11.1) policy_module(init, 1.11.2)
gen_require(` gen_require(`
class passwd rootok; class passwd rootok;

View File

@ -549,6 +549,13 @@ template(`userdom_basic_networking_template',`
corenet_tcp_connect_all_ports($1_t) corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t) corenet_sendrecv_all_client_packets($1_t)
corenet_all_recvfrom_labeled($1_t, $1_t)
optional_policy(`
init_tcp_recvfrom_all_daemons($1_t)
init_udp_recvfrom_all_daemons($1_t)
')
optional_policy(` optional_policy(`
ipsec_match_default_spd($1_t) ipsec_match_default_spd($1_t)
') ')

View File

@ -1,5 +1,5 @@
policy_module(userdomain, 3.1.0) policy_module(userdomain, 3.1.1)
######################################## ########################################
# #