rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

add tmpreaper

Browse Source
This commit is contained in:
Chris PeBenito 2005-08-05 15:32:27 +00:00
parent 9a66d4e562
commit ed78ea0034
6 changed files with 94 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
refpolicy/Changelog
View File

@ -2,10 +2,13 @@
* Add missing parts of unix stream socket connect interface * Add missing parts of unix stream socket connect interface
of ipsec. of ipsec.
* Rename inetd connect interface for consistency. * Rename inetd connect interface for consistency.
* Rename interface for purging contents of tmp, for clarity,
since it allows deletion of classes other than file.
* Misc. cleanups. * Misc. cleanups.
* Added policies: * Added policies:
acct acct
mysql mysql
tmpreaper
20050802 (2 Aug 2005) 20050802 (2 Aug 2005)
* Fix comparison bug in fc_sort. * Fix comparison bug in fc_sort.

2
refpolicy/policy/modules/admin/tmpreaper.fc Normal file
View File

@ -0,0 +1,2 @@
/usr/sbin/tmpreaper -- context_template(system_u:object_r:tmpreaper_exec_t,s0)
/usr/sbin/tmpwatch -- context_template(system_u:object_r:tmpreaper_exec_t,s0)

19
refpolicy/policy/modules/admin/tmpreaper.if Normal file
View File

@ -0,0 +1,19 @@
## <summary>Manage temporary directory sizes and file ages</summary>
########################################
## <summary>
## Execute tmpreaper in the caller domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`tmpreaper_exec',`
gen_require(`
type tmpreaper_exec_t;
')
files_search_usr($1)
corecmd_search_sbin($1)
can_exec($1,tmpreaper_exec_t)
')

45
refpolicy/policy/modules/admin/tmpreaper.te Normal file
View File

@ -0,0 +1,45 @@
policy_module(tmpreaper,1.0)
########################################
#
# Declarations
#
type tmpreaper_t;
role system_r types tmpreaper_t;
domain_type(tmpreaper_t)
type tmpreaper_exec_t;
domain_entry_file(tmpreaper_t,tmpreaper_exec_t)
########################################
#
# Local Policy
#
allow tmpreaper_t self:process { fork sigchld };
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
dev_read_urand(tmpreaper_t)
fs_getattr_xattr_fs(tmpreaper_t)
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
# why does it need setattr?
files_setattr_all_tmp_dirs(tmpreaper_t)
libs_use_ld_so(tmpreaper_t)
libs_use_shared_libs(tmpreaper_t)
logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
ifdef(`TODO',`
allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
')

37
refpolicy/policy/modules/system/files.if
View File

@ -1329,7 +1329,7 @@ interface(`files_read_world_readable_sockets',`
######################################## ########################################
## <summary> ## <summary>
## Search the tmp directory (/tmp) ## Search the tmp directory (/tmp).
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
@ -1344,6 +1344,23 @@ interface(`files_search_tmp',`
allow $1 tmp_t:dir search; allow $1 tmp_t:dir search;
') ')
########################################
## <summary>
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_setattr_all_tmp_dirs',`
gen_require(`
attribute tmpfile;
class dir { search setattr };
')
allow $1 tmpfile:dir { search getattr };
')
######################################## ########################################
# #
# files_create_tmp_files(domain,private_type,[object class(es)]) # files_create_tmp_files(domain,private_type,[object class(es)])
@ -1365,23 +1382,17 @@ interface(`files_create_tmp_files',`
######################################## ########################################
# #
# files_delete_all_tmp_files(domain) # files_purge_tmp(domain)
# #
interface(`files_delete_all_tmp_files',` interface(`files_purge_tmp',`
gen_require(` gen_require(`
attribute tmpfile; attribute tmpfile;
class dir { getattr search read write add_name remove_name rmdir }; class dir { rw_dir_perms rmdir };
class file { getattr unlink }; gen_require_set({ getattr unlink },notdevfile_class_set)
class lnk_file { getattr unlink };
class fifo_file { getattr unlink };
class sock_file { getattr unlink };
') ')
allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir }; allow $1 tmpfile:dir { rw_dir_perms rmdir };
allow $1 tmpfile:file { getattr unlink }; allow $1 tmpfile:notdevfile_class_set { getattr unlink };
allow $1 tmpfile:lnk_file { getattr unlink };
allow $1 tmpfile:fifo_file { getattr unlink };
allow $1 tmpfile:sock_file { getattr unlink };
') ')
######################################## ########################################

2
refpolicy/policy/modules/system/init.te
View File

@ -269,7 +269,7 @@ files_getattr_all_files(initrc_t)
files_getattr_all_symlinks(initrc_t) files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t) files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t) files_getattr_all_sockets(initrc_t)
files_delete_all_tmp_files(initrc_t) files_purge_tmp(initrc_t)
files_delete_all_locks(initrc_t) files_delete_all_locks(initrc_t)
files_read_all_pids(initrc_t) files_read_all_pids(initrc_t)
files_delete_all_pids(initrc_t) files_delete_all_pids(initrc_t)