add tmpreaper
This commit is contained in:
Chris PeBenito
parent
9a66d4e562
commit
ed78ea0034
@ -2,10 +2,13 @@
|
||||
* Add missing parts of unix stream socket connect interface
|
||||
of ipsec.
|
||||
* Rename inetd connect interface for consistency.
|
||||
* Rename interface for purging contents of tmp, for clarity,
|
||||
since it allows deletion of classes other than file.
|
||||
* Misc. cleanups.
|
||||
* Added policies:
|
||||
acct
|
||||
mysql
|
||||
tmpreaper
|
||||
|
||||
20050802 (2 Aug 2005)
|
||||
* Fix comparison bug in fc_sort.
|
||||
|
||||
2
refpolicy/policy/modules/admin/tmpreaper.fc
Normal file
2
refpolicy/policy/modules/admin/tmpreaper.fc
Normal file
@ -0,0 +1,2 @@
|
||||
/usr/sbin/tmpreaper -- context_template(system_u:object_r:tmpreaper_exec_t,s0)
|
||||
/usr/sbin/tmpwatch -- context_template(system_u:object_r:tmpreaper_exec_t,s0)
|
||||
19
refpolicy/policy/modules/admin/tmpreaper.if
Normal file
19
refpolicy/policy/modules/admin/tmpreaper.if
Normal file
@ -0,0 +1,19 @@
|
||||
## <summary>Manage temporary directory sizes and file ages</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute tmpreaper in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`tmpreaper_exec',`
|
||||
gen_require(`
|
||||
type tmpreaper_exec_t;
|
||||
')
|
||||
|
||||
files_search_usr($1)
|
||||
corecmd_search_sbin($1)
|
||||
can_exec($1,tmpreaper_exec_t)
|
||||
')
|
||||
45
refpolicy/policy/modules/admin/tmpreaper.te
Normal file
45
refpolicy/policy/modules/admin/tmpreaper.te
Normal file
@ -0,0 +1,45 @@
|
||||
|
||||
policy_module(tmpreaper,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type tmpreaper_t;
|
||||
role system_r types tmpreaper_t;
|
||||
domain_type(tmpreaper_t)
|
||||
|
||||
type tmpreaper_exec_t;
|
||||
domain_entry_file(tmpreaper_t,tmpreaper_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local Policy
|
||||
#
|
||||
|
||||
allow tmpreaper_t self:process { fork sigchld };
|
||||
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
|
||||
|
||||
dev_read_urand(tmpreaper_t)
|
||||
|
||||
fs_getattr_xattr_fs(tmpreaper_t)
|
||||
|
||||
files_read_etc_files(tmpreaper_t)
|
||||
files_read_var_lib_files(tmpreaper_t)
|
||||
files_purge_tmp(tmpreaper_t)
|
||||
# why does it need setattr?
|
||||
files_setattr_all_tmp_dirs(tmpreaper_t)
|
||||
|
||||
libs_use_ld_so(tmpreaper_t)
|
||||
libs_use_shared_libs(tmpreaper_t)
|
||||
|
||||
logging_send_syslog_msg(tmpreaper_t)
|
||||
|
||||
miscfiles_read_localization(tmpreaper_t)
|
||||
|
||||
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
|
||||
')
|
||||
@ -1329,7 +1329,7 @@ interface(`files_read_world_readable_sockets',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the tmp directory (/tmp)
|
||||
## Search the tmp directory (/tmp).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
@ -1344,6 +1344,23 @@ interface(`files_search_tmp',`
|
||||
allow $1 tmp_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of all tmp directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_setattr_all_tmp_dirs',`
|
||||
gen_require(`
|
||||
attribute tmpfile;
|
||||
class dir { search setattr };
|
||||
')
|
||||
|
||||
allow $1 tmpfile:dir { search getattr };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_create_tmp_files(domain,private_type,[object class(es)])
|
||||
@ -1365,23 +1382,17 @@ interface(`files_create_tmp_files',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_delete_all_tmp_files(domain)
|
||||
# files_purge_tmp(domain)
|
||||
#
|
||||
interface(`files_delete_all_tmp_files',`
|
||||
interface(`files_purge_tmp',`
|
||||
gen_require(`
|
||||
attribute tmpfile;
|
||||
class dir { getattr search read write add_name remove_name rmdir };
|
||||
class file { getattr unlink };
|
||||
class lnk_file { getattr unlink };
|
||||
class fifo_file { getattr unlink };
|
||||
class sock_file { getattr unlink };
|
||||
class dir { rw_dir_perms rmdir };
|
||||
gen_require_set({ getattr unlink },notdevfile_class_set)
|
||||
')
|
||||
|
||||
allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
|
||||
allow $1 tmpfile:file { getattr unlink };
|
||||
allow $1 tmpfile:lnk_file { getattr unlink };
|
||||
allow $1 tmpfile:fifo_file { getattr unlink };
|
||||
allow $1 tmpfile:sock_file { getattr unlink };
|
||||
allow $1 tmpfile:dir { rw_dir_perms rmdir };
|
||||
allow $1 tmpfile:notdevfile_class_set { getattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -269,7 +269,7 @@ files_getattr_all_files(initrc_t)
|
||||
files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_delete_all_tmp_files(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
files_delete_all_locks(initrc_t)
|
||||
files_read_all_pids(initrc_t)
|
||||
files_delete_all_pids(initrc_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user