add webalizer and sasl
This commit is contained in:
parent
4483ee849c
commit
f33561f560
@ -21,6 +21,8 @@
|
||||
ftp
|
||||
kudzu
|
||||
radvd
|
||||
sasl
|
||||
webalizer
|
||||
|
||||
* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
|
||||
- Make logrotate, sendmail, sshd, and rpm policies
|
||||
|
@ -30,6 +30,9 @@ gen_tunable(allow_httpd_anon_write,false)
|
||||
## Allow system to run with kerberos
|
||||
gen_tunable(allow_kerberos,false)
|
||||
|
||||
## Allow sasl to read shadow
|
||||
gen_tunable(allow_saslauthd_read_shadow,false)
|
||||
|
||||
## allow host key based authentication
|
||||
gen_tunable(allow_ssh_keysign,false)
|
||||
|
||||
|
10
refpolicy/policy/modules/apps/webalizer.fc
Normal file
10
refpolicy/policy/modules/apps/webalizer.fc
Normal file
@ -0,0 +1,10 @@
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0)
|
||||
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/lib/webalizer(/.*) gen_context(system_u:object_r:webalizer_var_lib_t,s0)
|
1
refpolicy/policy/modules/apps/webalizer.if
Normal file
1
refpolicy/policy/modules/apps/webalizer.if
Normal file
@ -0,0 +1 @@
|
||||
## <summary>Web server log analysis</summary>
|
113
refpolicy/policy/modules/apps/webalizer.te
Normal file
113
refpolicy/policy/modules/apps/webalizer.te
Normal file
@ -0,0 +1,113 @@
|
||||
|
||||
policy_module(webalizer,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
type webalizer_t;
|
||||
type webalizer_exec_t;
|
||||
domain_type(webalizer_t)
|
||||
domain_entry_file(webalizer_t,webalizer_exec_t)
|
||||
role system_r types webalizer_t;
|
||||
|
||||
type webalizer_etc_t; #, usercanread;
|
||||
files_type(webalizer_etc_t)
|
||||
|
||||
type webalizer_usage_t;
|
||||
files_type(webalizer_usage_t)
|
||||
|
||||
type webalizer_tmp_t;
|
||||
files_tmp_file(webalizer_tmp_t)
|
||||
|
||||
type webalizer_var_lib_t;
|
||||
files_type(webalizer_var_lib_t)
|
||||
|
||||
type webalizer_write_t;
|
||||
files_type(webalizer_write_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
allow webalizer_t self:capability dac_override;
|
||||
allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow webalizer_t self:fd use;
|
||||
allow webalizer_t self:fifo_file rw_file_perms;
|
||||
allow webalizer_t self:shm create_shm_perms;
|
||||
allow webalizer_t self:sem create_sem_perms;
|
||||
allow webalizer_t self:msgq create_msgq_perms;
|
||||
allow webalizer_t self:msg { send receive };
|
||||
allow webalizer_t self:unix_dgram_socket create_socket_perms;
|
||||
allow webalizer_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow webalizer_t self:unix_dgram_socket sendto;
|
||||
allow webalizer_t self:unix_stream_socket connectto;
|
||||
allow webalizer_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow webalizer_t self:udp_socket { connect connected_socket_perms };
|
||||
|
||||
allow webalizer_t webalizer_etc_t:file { getattr read };
|
||||
|
||||
allow webalizer_t webalizer_tmp_t:dir create_dir_perms;
|
||||
allow webalizer_t webalizer_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(webalizer_t, webalizer_tmp_t, { file dir })
|
||||
|
||||
allow webalizer_t webalizer_var_lib_t:file create_file_perms;
|
||||
allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms;
|
||||
files_create_var_lib(webalizer_t,webalizer_var_lib_t)
|
||||
|
||||
kernel_read_kernel_sysctl(webalizer_t)
|
||||
kernel_read_system_state(webalizer_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(webalizer_t)
|
||||
corenet_udp_sendrecv_all_if(webalizer_t)
|
||||
corenet_raw_sendrecv_all_if(webalizer_t)
|
||||
corenet_udp_sendrecv_all_nodes(webalizer_t)
|
||||
corenet_tcp_sendrecv_all_nodes(webalizer_t)
|
||||
corenet_raw_sendrecv_all_nodes(webalizer_t)
|
||||
corenet_tcp_sendrecv_all_ports(webalizer_t)
|
||||
corenet_udp_sendrecv_all_ports(webalizer_t)
|
||||
corenet_tcp_bind_all_nodes(webalizer_t)
|
||||
corenet_udp_bind_all_nodes(webalizer_t)
|
||||
|
||||
fs_search_auto_mountpoints(webalizer_t)
|
||||
|
||||
files_read_etc_files(webalizer_t)
|
||||
files_read_etc_runtime_files(webalizer_t)
|
||||
|
||||
libs_use_ld_so(webalizer_t)
|
||||
libs_use_shared_libs(webalizer_t)
|
||||
|
||||
logging_list_logs(webalizer_t)
|
||||
logging_send_syslog_msg(webalizer_t)
|
||||
|
||||
miscfiles_read_localization(webalizer_t)
|
||||
|
||||
sysnet_read_config(webalizer_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(webalizer_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(webalizer_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(webalizer_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
cron_system_entry(webalizer_t,webalizer_exec_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# a "run" interface needs to be
|
||||
# added, and have sysadm_t use it
|
||||
# in a optional_policy block.
|
||||
|
||||
allow webalizer_t httpd_log_t:dir { getattr read search };
|
||||
allow webalizer_t httpd_log_t:file { read getattr };
|
||||
allow webalizer_t httpd_log_t:lnk_file { getattr read };
|
||||
|
||||
allow webalizer_t httpd_sys_content_t:dir create_dir_perms;
|
||||
allow webalizer_t httpd_sys_content_t:file create_file_perms;
|
||||
allow webalizer_t httpd_sys_content_t:lnk_file create_lnk_perms;
|
||||
')
|
10
refpolicy/policy/modules/services/sasl.fc
Normal file
10
refpolicy/policy/modules/services/sasl.fc
Normal file
@ -0,0 +1,10 @@
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
|
||||
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
|
1
refpolicy/policy/modules/services/sasl.if
Normal file
1
refpolicy/policy/modules/services/sasl.if
Normal file
@ -0,0 +1 @@
|
||||
## <summary>SASL authentication server</summary>
|
108
refpolicy/policy/modules/services/sasl.te
Normal file
108
refpolicy/policy/modules/services/sasl.te
Normal file
@ -0,0 +1,108 @@
|
||||
|
||||
policy_module(sasl,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type saslauthd_t;
|
||||
type saslauthd_exec_t;
|
||||
init_daemon_domain(saslauthd_t,saslauthd_exec_t)
|
||||
|
||||
type saslauthd_var_run_t;
|
||||
files_pid_file(saslauthd_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
dontaudit saslauthd_t self:capability sys_tty_config;
|
||||
allow saslauthd_t self:process signal_perms;
|
||||
allow saslauthd_t self:fifo_file { read write };
|
||||
allow saslauthd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow saslauthd_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow saslauthd_t saslauthd_var_run_t:file create_file_perms;
|
||||
allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
|
||||
allow saslauthd_t saslauthd_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(saslauthd_t,saslauthd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(saslauthd_t)
|
||||
kernel_read_system_state(saslauthd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(saslauthd_t)
|
||||
corenet_raw_sendrecv_all_if(saslauthd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(saslauthd_t)
|
||||
corenet_raw_sendrecv_all_nodes(saslauthd_t)
|
||||
corenet_tcp_sendrecv_all_ports(saslauthd_t)
|
||||
corenet_tcp_bind_all_nodes(saslauthd_t)
|
||||
corenet_tcp_connect_pop_port(saslauthd_t)
|
||||
|
||||
dev_read_sysfs(saslauthd_t)
|
||||
dev_read_urand(saslauthd_t)
|
||||
|
||||
fs_getattr_all_fs(saslauthd_t)
|
||||
fs_search_auto_mountpoints(saslauthd_t)
|
||||
|
||||
term_dontaudit_use_console(saslauthd_t)
|
||||
|
||||
auth_domtrans_chk_passwd(saslauthd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(saslauthd_t)
|
||||
|
||||
files_read_etc_files(saslauthd_t)
|
||||
files_search_var_lib(saslauthd_t)
|
||||
files_dontaudit_getattr_home_dir(saslauthd_t)
|
||||
|
||||
init_use_fd(saslauthd_t)
|
||||
init_use_script_pty(saslauthd_t)
|
||||
init_dontaudit_unix_connect_script(saslauthd_t)
|
||||
|
||||
libs_use_ld_so(saslauthd_t)
|
||||
libs_use_shared_libs(saslauthd_t)
|
||||
|
||||
logging_send_syslog_msg(saslauthd_t)
|
||||
|
||||
miscfiles_read_localization(saslauthd_t)
|
||||
miscfiles_read_certs(saslauthd_t)
|
||||
|
||||
seutil_dontaudit_read_config(saslauthd_t)
|
||||
|
||||
sysnet_read_config(saslauthd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(saslauthd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(saslauthd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(saslauthd_t)
|
||||
term_dontaudit_use_generic_pty(saslauthd_t)
|
||||
files_dontaudit_read_root_file(saslauthd_t)
|
||||
')
|
||||
|
||||
# cjp: typeattribute doesnt work in conditionals yet
|
||||
#tunable_policy(`allow_saslauthd_read_shadow',`
|
||||
# auth_read_shadow(saslauthd_t)
|
||||
#')
|
||||
|
||||
optional_policy(`mysql.te',`
|
||||
mysql_search_db_dir(saslauthd_t)
|
||||
mysql_stream_connect(saslauthd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(saslauthd_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(saslauthd_t)
|
||||
')
|
||||
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(saslauthd_t)
|
||||
')
|
||||
')
|
@ -1499,8 +1499,7 @@ interface(`files_manage_isid_type_chr_node',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the
|
||||
## attributes of the home directories root
|
||||
## Get the attributes of the home directories root
|
||||
## (/home).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@ -1510,10 +1509,27 @@ interface(`files_manage_isid_type_chr_node',`
|
||||
interface(`files_getattr_home_dir',`
|
||||
gen_require(`
|
||||
type home_root_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 home_root_t:dir search;
|
||||
allow $1 home_root_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the
|
||||
## attributes of the home directories root
|
||||
## (/home).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_getattr_home_dir',`
|
||||
gen_require(`
|
||||
type home_root_t;
|
||||
')
|
||||
|
||||
dontaudit $1 home_root_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -421,6 +421,24 @@ interface(`init_unix_connect_script',`
|
||||
allow $1 initrc_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Dont audit the specified domain connecting to
|
||||
## init scripts with a unix domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`init_dontaudit_unix_connect_script',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
class unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
dontaudit $1 initrc_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read init scripts.
|
||||
|
@ -128,6 +128,23 @@ interface(`logging_search_logs',`
|
||||
allow $1 var_log_t:dir search;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## List the contents of the generic log directory (/var/log).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_list_logs',`
|
||||
gen_require(`
|
||||
type var_log_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read and write the generic log directory (/var/log).
|
||||
|
Loading…
Reference in New Issue
Block a user