- Cleanup of aiccu policy

- initial mock policy
This commit is contained in:
Daniel J Walsh 2010-06-11 15:39:46 +00:00
parent f651bb6fdc
commit f2403c5b4f
4 changed files with 553 additions and 74 deletions

View File

@ -968,6 +968,13 @@ miscfiles = base
#
mls = base
# Layer: services
# Module: mock
#
# Policy for mock rpm builder
#
mock = base
# Layer: system
# Module: modutils
#

View File

@ -968,6 +968,13 @@ miscfiles = base
#
mls = base
# Layer: services
# Module: mock
#
# Policy for mock rpm builder
#
mock = base
# Layer: system
# Module: modutils
#

View File

@ -602,8 +602,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
+/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.8.3/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/admin/netutils.te 2010-06-08 11:32:10.000000000 -0400
@@ -144,15 +144,27 @@
+++ serefpolicy-3.8.3/policy/modules/admin/netutils.te 2010-06-10 08:42:54.000000000 -0400
@@ -52,6 +52,8 @@
kernel_search_proc(netutils_t)
kernel_read_all_sysctls(netutils_t)
+kernel_read_network_state(netutils_t)
+kernel_request_load_module(netutils_t)
corenet_all_recvfrom_unlabeled(netutils_t)
corenet_all_recvfrom_netlabel(netutils_t)
@@ -144,15 +146,27 @@
init_dontaudit_use_fds(ping_t)
optional_policy(`
@ -631,9 +640,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
pcmcia_use_cardmgr_fds(ping_t)
')
@@ -213,3 +225,10 @@
@@ -212,4 +226,12 @@
#rules needed for nmap
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
+dev_read_usbmon_dev(netutils_t)
files_read_usr_files(traceroute_t)
+
+term_use_all_terms(traceroute_t)
@ -763,7 +774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.8.3/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/admin/rpm.if 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/admin/rpm.if 2010-06-09 17:43:12.000000000 -0400
@@ -13,11 +13,36 @@
interface(`rpm_domtrans',`
gen_require(`
@ -883,7 +894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
')
########################################
@@ -556,3 +626,48 @@
@@ -556,3 +626,66 @@
files_pid_filetrans($1, rpm_var_run_t, file)
')
@ -932,6 +943,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+')
+
+
+########################################
+## <summary>
+## Make rpm_exec_t an entry point for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_entry_type',`
+ gen_require(`
+ type rpm_exec_t;
+ ')
+
+ domain_entry_file($1, rpm_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.8.3/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/admin/rpm.te 2010-06-08 11:32:10.000000000 -0400
@ -1119,8 +1148,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
java_domtrans_unconfined(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.8.3/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/admin/shorewall.te 2010-06-08 11:32:10.000000000 -0400
@@ -87,7 +87,11 @@
+++ serefpolicy-3.8.3/policy/modules/admin/shorewall.te 2010-06-11 10:56:42.000000000 -0400
@@ -81,13 +81,18 @@
init_rw_utmp(shorewall_t)
+logging_read_generic_logs(shorewall_t)
logging_send_syslog_msg(shorewall_t)
miscfiles_read_localization(shorewall_t)
sysnet_domtrans_ifconfig(shorewall_t)
@ -4986,7 +5022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.8.3/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2010-02-22 08:30:53.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/apps/qemu.if 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/apps/qemu.if 2010-06-09 17:41:04.000000000 -0400
@@ -127,12 +127,14 @@
template(`qemu_role',`
gen_require(`
@ -6678,7 +6714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.8.3/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/kernel/corenetwork.te.in 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/kernel/corenetwork.te.in 2010-06-11 11:15:13.000000000 -0400
@@ -25,6 +25,7 @@
#
type tun_tap_device_t;
@ -6774,8 +6810,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
@@ -184,15 +202,17 @@
@@ -182,17 +200,20 @@
network_port(sap, tcp,9875,s0, udp,9875,s0)
network_port(sieve, tcp,4190,s0)
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
+network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
@ -6793,7 +6832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -205,13 +225,13 @@
@@ -205,13 +226,13 @@
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@ -10880,19 +10919,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
corenet_tcp_sendrecv_generic_if(afs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.8.3/policy/modules/services/aiccu.fc
--- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.fc 2010-06-08 11:32:10.000000000 -0400
@@ -0,0 +1,5 @@
+
+/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
+
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.fc 2010-06-11 11:16:28.000000000 -0400
@@ -0,0 +1,6 @@
+/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0)
+/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
+
+/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
+
+/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.8.3/policy/modules/services/aiccu.if
--- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.if 2010-06-08 11:32:10.000000000 -0400
@@ -0,0 +1,119 @@
+
+## <summary>policy for aiccu</summary>
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.if 2010-06-11 11:15:13.000000000 -0400
@@ -0,0 +1,118 @@
+## <summary>Automatic IPv6 Connectivity Client Utility.</summary>
+
+########################################
+## <summary>
@ -10910,6 +10949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+ ')
+
+ domtrans_pattern($1, aiccu_exec_t, aiccu_t)
+ corecmd_search_bin($1)
+')
+
+
@ -10919,7 +10959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
@ -10946,13 +10986,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+ type aiccu_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 aiccu_var_run_t:file read_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Manage aiccu var_run files.
+## Manage aiccu PID files.
+## </summary>
+## <param name="domain">
+## <summary>
@ -10965,9 +11005,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+ type aiccu_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ files_search_pids($1)
+')
+
+
@ -10990,31 +11031,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+#
+interface(`aiccu_admin',`
+ gen_require(`
+ type aiccu_t;
+ type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
+ type aiccu_var_run_t;
+ ')
+
+ allow $1 aiccu_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, aiccu_t, aiccu_t)
+ allow $1 aiccu_t:process { ptrace signal_perms };
+ ps_process_pattern($1, aiccu_t)
+
+
+ gen_require(`
+ type aiccu_initrc_exec_t;
+ ')
+
+ # Allow aiccu_t to restart the apache service
+ aiccu_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 aiccu_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ aiccu_manage_var_run($1)
+ admin_pattern($1, aiccu_etc_t)
+ files_search_etc($1)
+
+ admin_pattern($1, aiccu_var_run_t)
+ files_search_pids($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.8.3/policy/modules/services/aiccu.te
--- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.te 2010-06-08 11:32:10.000000000 -0400
@@ -0,0 +1,42 @@
+policy_module(aiccu,1.0.0)
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.te 2010-06-11 11:20:20.000000000 -0400
@@ -0,0 +1,71 @@
+
+policy_module(aiccu, 1.0.0)
+
+########################################
+#
@ -11028,6 +11068,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+type aiccu_initrc_exec_t;
+init_script_file(aiccu_initrc_exec_t)
+
+type aiccu_etc_t;
+files_config_file(aiccu_etc_t)
+
+type aiccu_var_run_t;
+files_pid_file(aiccu_var_run_t)
+
@ -11036,26 +11079,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+# aiccu local policy
+#
+
+allow aiccu_t self:capability { kill };
+allow aiccu_t self:process { fork signal };
+
+# Init script handling
+domain_use_interactive_fds(aiccu_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow aiccu_t self:capability { kill net_admin };
+allow aiccu_t self:process signal;
+allow aiccu_t self:fifo_file rw_file_perms;
+allow aiccu_t self:netlink_route_socket create_netlink_socket_perms;
+allow aiccu_t self:tcp_socket create_stream_socket_perms;
+allow aiccu_t self:tun_socket create_socket_perms;
+allow aiccu_t self:udp_socket create_stream_socket_perms;
+allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(aiccu_t)
+
+corenet_rw_tun_tap_dev(aiccu_t)
+
+miscfiles_read_localization(aiccu_t)
+allow aiccu_t aiccu_etc_t:file read_file_perms;
+
+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
+
+kernel_read_system_state(aiccu_t)
+
+corecmd_exec_shell(aiccu_t)
+
+corenet_all_recvfrom_netlabel(aiccu_t)
+corenet_all_recvfrom_unlabeled(aiccu_t)
+corenet_tcp_bind_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_if(aiccu_t)
+corenet_tcp_sendrecv_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_port(aiccu_t)
+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
+corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
+corenet_tcp_connect_sixxsconfig_port(aiccu_t)
+corenet_rw_tun_tap_dev(aiccu_t)
+
+domain_use_interactive_fds(aiccu_t)
+
+dev_read_rand(aiccu_t)
+dev_read_urand(aiccu_t)
+
+files_read_etc_files(aiccu_t)
+
+logging_send_syslog_msg(aiccu_t)
+
+miscfiles_read_localization(aiccu_t)
+
+modutils_domtrans_insmod(aiccu_t)
+
+sysnet_domtrans_ifconfig(aiccu_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.8.3/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/aisexec.te 2010-06-08 11:32:10.000000000 -0400
@ -12987,7 +13055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.if serefpolicy-3.8.3/policy/modules/services/cmirrord.if
--- nsaserefpolicy/policy/modules/services/cmirrord.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/services/cmirrord.if 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/cmirrord.if 2010-06-10 08:52:34.000000000 -0400
@@ -0,0 +1,118 @@
+
+## <summary>policy for cmirrord</summary>
@ -13060,14 +13128,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+interface(`cmirrord_rw_shm',`
+ gen_require(`
+ type cmirrord_t;
+ type cmirrord_tmpfs_t;
+ type cmirrord_tmpfs_t;
+ ')
+
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
@ -13320,7 +13388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.8.3/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/corosync.te 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/corosync.te 2010-06-11 11:31:01.000000000 -0400
@@ -33,8 +33,8 @@
# corosync local policy
#
@ -13368,17 +13436,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
userdom_rw_user_tmpfs_files(corosync_t)
optional_policy(`
@@ -91,6 +97,10 @@
@@ -91,12 +97,12 @@
')
optional_policy(`
- # to communication with RHCS
- rhcs_rw_dlm_controld_semaphores(corosync_t)
-
- rhcs_rw_fenced_semaphores(corosync_t)
+ cmirrord_rw_shm(corosync_t)
+')
+
+optional_policy(`
# to communication with RHCS
rhcs_rw_dlm_controld_semaphores(corosync_t)
- rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
+ # to communication with RHCS
+ rhcs_rw_cluster_shm(corosync_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.8.3/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/cron.fc 2010-06-08 11:32:10.000000000 -0400
@ -15791,6 +15866,301 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
## Manage spamassassin milter state
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.fc serefpolicy-3.8.3/policy/modules/services/mock.fc
--- nsaserefpolicy/policy/modules/services/mock.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/services/mock.fc 2010-06-09 17:38:11.000000000 -0400
@@ -0,0 +1,6 @@
+
+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
+
+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
+
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.if serefpolicy-3.8.3/policy/modules/services/mock.if
--- nsaserefpolicy/policy/modules/services/mock.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/services/mock.if 2010-06-09 17:38:11.000000000 -0400
@@ -0,0 +1,183 @@
+
+## <summary>policy for mock</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run mock.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mock_domtrans',`
+ gen_require(`
+ type mock_t, mock_exec_t;
+ ')
+
+ domtrans_pattern($1, mock_exec_t, mock_t)
+')
+
+
+########################################
+## <summary>
+## Search mock lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_search_lib',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ allow $1 mock_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read mock lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_read_lib_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mock lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage mock lib dirs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_dirs',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Execute mock in the mock domain, and
+## allow the specified role the mock domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mock domain.
+## </summary>
+## </param>
+#
+interface(`mock_run',`
+ gen_require(`
+ type mock_t;
+ ')
+
+ mock_domtrans($1)
+ role $2 types mock_t;
+')
+
+########################################
+## <summary>
+## Role access for mock
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`mock_role',`
+ gen_require(`
+ type mock_t;
+ ')
+
+ role $1 types mock_t;
+
+ mock_domtrans($2)
+
+ ps_process_pattern($2, mock_t)
+ allow $2 mock_t:process signal;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an mock environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mock_admin',`
+ gen_require(`
+ type mock_t;
+ type mock_var_lib_t;
+ ')
+
+ allow $1 mock_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mock_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, mock_var_lib_t)
+
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.te serefpolicy-3.8.3/policy/modules/services/mock.te
--- nsaserefpolicy/policy/modules/services/mock.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/services/mock.te 2010-06-09 17:44:30.000000000 -0400
@@ -0,0 +1,94 @@
+policy_module(mock,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mock_t;
+type mock_exec_t;
+application_domain(mock_t, mock_exec_t)
+domain_role_change_exemption(mock_t)
+domain_system_change_exemption(mock_t)
+role system_r types mock_t;
+
+permissive mock_t;
+
+type mock_cache_t;
+files_type(mock_cache_t)
+
+type mock_tmp_t;
+files_tmp_file(mock_tmp_t)
+
+type mock_var_lib_t;
+files_type(mock_var_lib_t)
+
+########################################
+#
+# mock local policy
+#
+allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
+allow mock_t self:fifo_file manage_fifo_file_perms;
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file } )
+can_exec(mock_t, mock_tmp_t)
+
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file } )
+can_exec(mock_t, mock_var_lib_t)
+allow mock_t mock_var_lib_t:dir mounton;
+
+kernel_list_proc(mock_t)
+kernel_read_irq_sysctls(mock_t)
+kernel_read_system_state(mock_t)
+kernel_read_kernel_sysctls(mock_t)
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
+
+corenet_tcp_connect_http_port(mock_t)
+
+dev_read_urand(mock_t)
+
+domain_poly(mock_t)
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_files(mock_t)
+files_read_usr_files(mock_t)
+
+fs_getattr_all_fs(mock_t)
+
+selinux_get_enforce_mode(mock_t)
+
+auth_use_nsswitch(mock_t)
+
+init_exec(mock_t)
+
+libs_domtrans_ldconfig(mock_t)
+
+logging_send_audit_msgs(mock_t)
+logging_send_syslog_msg(mock_t)
+
+miscfiles_read_localization(mock_t)
+
+mount_domtrans(mock_t)
+
+optional_policy(`
+ rpm_exec(mock_t)
+ rpm_manage_db(mock_t)
+ rpm_entry_type(mock_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.8.3/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/modemmanager.te 2010-06-08 11:32:10.000000000 -0400
@ -19103,10 +19473,89 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.8.3/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/rhcs.if 2010-06-11 11:30:32.000000000 -0400
@@ -14,6 +14,7 @@
template(`rhcs_domain_template',`
gen_require(`
attribute cluster_domain;
+ attribute cluster_tmpfs;
')
##############################
@@ -25,7 +26,7 @@
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
- type $1_tmpfs_t;
+ type $1_tmpfs_t, cluster_tmpfs;
files_tmpfs_file($1_tmpfs_t)
type $1_var_log_t;
@@ -335,6 +336,28 @@
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
')
+########################################
+## <summary>
+## Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_cluster_shm',`
+ gen_require(`
+ attribute cluster_domain;
+ attribute cluster_tmpfs;
+ ')
+
+ allow $1 cluster_domain:shm { rw_shm_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
+')
+
######################################
## <summary>
## Execute a domain transition to run qdiskd.
@@ -353,3 +376,21 @@
corecmd_search_bin($1)
domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
')
+
+########################################
+## <summary>
+## Allow domain to read qdiskd tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_read_qdiskd_tmpfs_files',`
+ gen_require(`
+ type qdiskd_tmpfs_t;
+ ')
+
+ allow $1 qdiskd_tmpfs_t:file read_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.8.3/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/rhcs.te 2010-06-08 11:32:10.000000000 -0400
@@ -56,17 +56,13 @@
+++ serefpolicy-3.8.3/policy/modules/services/rhcs.te 2010-06-11 11:31:16.000000000 -0400
@@ -14,6 +14,7 @@
gen_tunable(fenced_can_network_connect, false)
attribute cluster_domain;
+attribute cluster_tmpfs;
rhcs_domain_template(dlm_controld)
@@ -56,17 +57,13 @@
init_rw_script_tmp_files(dlm_controld_t)
@ -19125,7 +19574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
allow fenced_t self:tcp_socket create_stream_socket_perms;
allow fenced_t self:udp_socket create_socket_perms;
@@ -83,7 +79,10 @@
@@ -83,7 +80,10 @@
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@ -19136,7 +19585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
corenet_tcp_connect_http_port(fenced_t)
@@ -107,7 +106,6 @@
@@ -107,7 +107,6 @@
optional_policy(`
ccs_read_config(fenced_t)
@ -19144,7 +19593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
')
optional_policy(`
@@ -140,10 +138,6 @@
@@ -140,10 +139,6 @@
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@ -19155,7 +19604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
@@ -169,7 +163,7 @@
@@ -169,7 +164,7 @@
# qdiskd local policy
#
@ -19164,7 +19613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
@@ -208,10 +202,6 @@
@@ -208,10 +203,6 @@
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@ -19175,7 +19624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
netutils_domtrans_ping(qdiskd_t)
')
@@ -237,5 +227,9 @@
@@ -237,5 +228,9 @@
miscfiles_read_localization(cluster_domain)
optional_policy(`
@ -21127,6 +21576,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn
#######################################
## <summary>
## Read varnish logs.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.8.3/policy/modules/services/vhostmd.if
--- nsaserefpolicy/policy/modules/services/vhostmd.if 2010-03-29 15:04:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/vhostmd.if 2010-06-10 08:52:54.000000000 -0400
@@ -42,7 +42,7 @@
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.8.3/policy/modules/services/vhostmd.te
--- nsaserefpolicy/policy/modules/services/vhostmd.te 2010-03-29 15:04:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/vhostmd.te 2010-06-08 11:32:10.000000000 -0400
@ -23631,7 +24092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.3/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-09 16:31:07.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-09 17:42:17.000000000 -0400
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@ -28117,7 +28578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-06-08 10:35:48.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/userdomain.if 2010-06-08 11:56:33.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/userdomain.if 2010-06-10 09:12:21.000000000 -0400
@@ -30,8 +30,9 @@
')

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.3
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -469,6 +469,10 @@ exit 0
%endif
%changelog
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-3
- Cleanup of aiccu policy
- initial mock policy
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-2
- Lots of random fixes