trunk: 3 patches from the fedora policy, cherry picked by David Hardeman.

This commit is contained in:
Chris PeBenito 2008-08-11 14:03:36 +00:00
parent 7aabe358f4
commit e0ed765c0e
7 changed files with 50 additions and 12 deletions

View File

@ -1,5 +1,5 @@
policy_module(corenetwork,1.2.16) policy_module(corenetwork, 1.2.17)
######################################## ########################################
# #
@ -109,6 +109,7 @@ network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0) network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0) network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0) network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0) network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)

View File

@ -1,5 +1,5 @@
policy_module(qmail, 1.3.0) policy_module(qmail, 1.3.1)
######################################## ########################################
# #
@ -14,7 +14,7 @@ files_type(qmail_alias_home_t)
qmail_child_domain_template(qmail_clean, qmail_start_t) qmail_child_domain_template(qmail_clean, qmail_start_t)
type qmail_etc_t; type qmail_etc_t;
files_type(qmail_etc_t) files_config_file(qmail_etc_t)
type qmail_exec_t; type qmail_exec_t;
files_type(qmail_exec_t) files_type(qmail_exec_t)
@ -85,6 +85,8 @@ files_search_var(qmail_inject_t)
libs_use_ld_so(qmail_inject_t) libs_use_ld_so(qmail_inject_t)
libs_use_shared_libs(qmail_inject_t) libs_use_shared_libs(qmail_inject_t)
miscfiles_read_localization(qmail_inject_t)
qmail_read_config(qmail_inject_t) qmail_read_config(qmail_inject_t)
######################################## ########################################
@ -100,17 +102,24 @@ allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
can_exec(qmail_local_t, qmail_local_exec_t)
allow qmail_local_t qmail_queue_exec_t:file read; allow qmail_local_t qmail_queue_exec_t:file read;
allow qmail_local_t qmail_spool_t:file read_file_perms; allow qmail_local_t qmail_spool_t:file read_file_perms;
kernel_read_system_state(qmail_local_t) kernel_read_system_state(qmail_local_t)
corecmd_exec_bin(qmail_local_t)
corecmd_exec_shell(qmail_local_t) corecmd_exec_shell(qmail_local_t)
files_read_etc_files(qmail_local_t) files_read_etc_files(qmail_local_t)
files_read_etc_runtime_files(qmail_local_t) files_read_etc_runtime_files(qmail_local_t)
auth_use_nsswitch(qmail_local_t)
logging_send_syslog_msg(qmail_local_t)
mta_append_spool(qmail_local_t) mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t) qmail_domtrans_queue(qmail_local_t)
@ -155,6 +164,10 @@ manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
corecmd_exec_bin(qmail_queue_t)
logging_send_syslog_msg(qmail_queue_t)
optional_policy(` optional_policy(`
daemontools_ipc_domain(qmail_queue_t) daemontools_ipc_domain(qmail_queue_t)
') ')

View File

@ -131,6 +131,25 @@ interface(`ipsec_setcontext_default_spd',`
allow $1 ipsec_spd_t:association setcontext; allow $1 ipsec_spd_t:association setcontext;
') ')
########################################
## <summary>
## write the ipsec_var_run_t files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ipsec_write_pid',`
gen_require(`
type ipsec_var_run_t;
')
files_search_pids($1)
write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
')
######################################## ########################################
## <summary> ## <summary>
## Create, read, write, and delete the IPSEC pid files. ## Create, read, write, and delete the IPSEC pid files.

View File

@ -1,5 +1,5 @@
policy_module(ipsec, 1.7.0) policy_module(ipsec, 1.7.1)
######################################## ########################################
# #
@ -69,9 +69,9 @@ allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
allow ipsec_t ipsec_var_run_t:file manage_file_perms; manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms; manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file }) files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
can_exec(ipsec_t, ipsec_mgmt_exec_t) can_exec(ipsec_t, ipsec_mgmt_exec_t)

View File

@ -1,5 +1,5 @@
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/var/lib/iscsi(/.*)? -- gen_context(system_u:object_r:iscsi_var_lib_t,s0) /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
/var/lock/iscsi(/.*)? -- gen_context(system_u:object_r:iscsi_lock_t,s0) /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(iscsid,1.4.0) policy_module(iscsid, 1.4.1)
######################################## ########################################
# #
@ -29,7 +29,7 @@ files_pid_file(iscsi_var_run_t)
# #
allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource }; allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
allow iscsid_t self:process { setrlimit setsched }; allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file { read write }; allow iscsid_t self:fifo_file { read write };
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow iscsid_t self:unix_dgram_socket create_socket_perms; allow iscsid_t self:unix_dgram_socket create_socket_perms;
@ -63,6 +63,7 @@ corenet_tcp_sendrecv_all_nodes(iscsid_t)
corenet_tcp_sendrecv_all_ports(iscsid_t) corenet_tcp_sendrecv_all_ports(iscsid_t)
corenet_tcp_connect_http_port(iscsid_t) corenet_tcp_connect_http_port(iscsid_t)
corenet_tcp_connect_iscsi_port(iscsid_t) corenet_tcp_connect_iscsi_port(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t) dev_rw_sysfs(iscsid_t)

View File

@ -1,5 +1,5 @@
policy_module(sysnetwork, 1.7.0) policy_module(sysnetwork, 1.7.1)
######################################## ########################################
# #
@ -319,6 +319,10 @@ ifdef(`hide_broken_symptoms',`
') ')
') ')
optional_policy(`
ipsec_write_pid(ifconfig_t)
')
optional_policy(` optional_policy(`
netutils_domtrans(dhcpc_t) netutils_domtrans(dhcpc_t)
') ')