xml updates and nis stuff

This commit is contained in:
Chris PeBenito 2005-06-24 20:37:09 +00:00
parent f8838e6ac1
commit e88003ffe3
6 changed files with 128 additions and 29 deletions

View File

@ -2,7 +2,7 @@
####################################### #######################################
## <summary> ## <summary>
## The per-userdomain template for the gpg module. ## The per user domain template for the gpg module.
## </summary> ## </summary>
## <desc> ## <desc>
## <p> ## <p>
@ -12,9 +12,9 @@
## in domains specific to the user type. ## in domains specific to the user type.
## </p> ## </p>
## <p> ## <p>
## This is invoked automatically for each user, and ## This is invoked automatically for each user and
## generally does not need to be statically invoked ## generally does not need to be invoked directly
## directly by policy writers. ## by policy writers.
## </p> ## </p>
## </desc> ## </desc>
## <param name="userdomain_prefix"> ## <param name="userdomain_prefix">

View File

@ -1,10 +1,26 @@
## <summary>Periodic execution of scheduled commands.</summary> ## <summary>Periodic execution of scheduled commands.</summary>
######################################## #######################################
## <summary>
## The per user domain template for the cron module.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for running programs on behalf of the user, from cron.
## A type for the user crontab is also created.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
# #
# cron_per_userdomain_template(domainprefix)
#
template(`cron_per_userdomain_template',` template(`cron_per_userdomain_template',`
# Type of user crontabs once moved to cron spool. # Type of user crontabs once moved to cron spool.
@ -213,11 +229,21 @@ template(`cron_per_userdomain_template',`
') dnl endif TODO ') dnl endif TODO
') ')
######################################## #######################################
## <summary>
## The administrative functions template for the cron module.
## </summary>
## <desc>
## <p>
## This template creates rules for administrating the cron service,
## allowing the specified user to manage other user crontabs.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
# #
# cron_admin_template(domainprefix)
#
template(`cron_admin_template',` template(`cron_admin_template',`
logging_read_generic_logs($1_crond_t) logging_read_generic_logs($1_crond_t)

View File

@ -1,5 +1,26 @@
## <summary>Secure shell client and server policy.</summary> ## <summary>Secure shell client and server policy.</summary>
#######################################
## <summary>
## The per user domain template for the ssh module.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for ssh client sessions and user ssh agents. A derived
## type is also created to protect the user ssh keys.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
#
template(`ssh_per_userdomain_template',` template(`ssh_per_userdomain_template',`
############################## ##############################
# #
@ -103,6 +124,8 @@ template(`ssh_per_userdomain_template',`
userdom_use_unpriv_users_fd($1_ssh_t) userdom_use_unpriv_users_fd($1_ssh_t)
nis_use_ypbind($1_ssh_t)
tunable_policy(`use_dns',` tunable_policy(`use_dns',`
allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
corenet_udp_sendrecv_all_if($1_ssh_t) corenet_udp_sendrecv_all_if($1_ssh_t)
@ -147,9 +170,6 @@ template(`ssh_per_userdomain_template',`
allow $1_ssh_t var_run_t:dir r_dir_perms; allow $1_ssh_t var_run_t:dir r_dir_perms;
allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms; allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms;
# Grant permissions needed to create TCP and UDP sockets and
# to access the network.
can_ypbind($1_ssh_t)
can_kerberos($1_ssh_t) can_kerberos($1_ssh_t)
allow $1_ssh_t $1_tmp_t:dir r_dir_perms; allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
@ -306,9 +326,23 @@ template(`ssh_per_userdomain_template',`
') dnl endif TODO ') dnl endif TODO
') ')
######################################## #######################################
# ## <summary>
# ## The template to define a ssh server.
## </summary>
## <desc>
## <p>
## This template creates a domains to be used for
## creating a ssh server. This is typically done
## to have multiple ssh servers of different sensitivities,
## such as for an internal network-facing ssh server, and
## a external network-facing ssh server.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
# #
template(`sshd_program_domain', ` template(`sshd_program_domain', `
type $1_t, ssh_server; #, nscd_client_domain; type $1_t, ssh_server; #, nscd_client_domain;

View File

@ -1,12 +1,28 @@
## <summary>Common policy for authentication and user login.</summary> ## <summary>Common policy for authentication and user login.</summary>
####################################### #######################################
## <summary>
## The per user domain template for the authlogin module.
## </summary>
## <desc>
## <p>
## This template creates a derived domain which is allowed
## to authenticate users by using PAM unix_chkpwd support.
## This domain will be used by any programs running in the
## user domain which use PAM to authenticate.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
# #
# Per user domain template for this module template(`authlogin_per_userdomain_template',`
#
# authlogin_per_userdomain_template(userdomain_prefix)
#
interface(`authlogin_per_userdomain_template',`
gen_require(` gen_require(`
attribute can_read_shadow_passwords; attribute can_read_shadow_passwords;
type chkpwd_exec_t, system_chkpwd_t, shadow_t; type chkpwd_exec_t, system_chkpwd_t, shadow_t;

View File

@ -259,9 +259,9 @@ interface(`init_exec_script',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Read the process state (/proc/pid) of the init scripts. ## Read the process state (/proc/pid) of the init scripts.
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
@ -327,9 +327,9 @@ interface(`init_get_script_process_group',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Read and write init script unnamed pipes. ## Read and write init script unnamed pipes.
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
@ -343,6 +343,24 @@ interface(`init_rw_script_pipe',`
allow $1 initrc_t:fifo_file { read write }; allow $1 initrc_t:fifo_file { read write };
') ')
########################################
## <summary>
## Send UDP network traffic to init scripts.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`init_udp_sendto_script',`
gen_require(`
type initrc_t;
class udp_socket { sendto recvfrom };
')
allow $1 initrc_t:udp_socket sendto;
allow initrc_t $1:udp_socket recvfrom;
')
######################################## ########################################
# #
# init_use_script_pty(domain) # init_use_script_pty(domain)
@ -371,9 +389,9 @@ interface(`init_dontaudit_use_script_pty',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Read and write init script temporary data. ## Read and write init script temporary data.
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>

View File

@ -350,6 +350,11 @@ optional_policy(`lvm.te',`
dev_create_generic_chr_file(initrc_t) dev_create_generic_chr_file(initrc_t)
') ')
optional_policy(`nis.te',`
nis_udp_sendto_ypbind(initrc_t)
nis_list_var_yp(initrc_t)
')
optional_policy(`rhgb.te',` optional_policy(`rhgb.te',`
corecmd_shell_entry_type(initrc_t) corecmd_shell_entry_type(initrc_t)
') ')