From f8b3b7fa48ec50bcc2f11d4df1ef575d7ffb3dff Mon Sep 17 00:00:00 2001 From: Jeremy Solt Date: Wed, 31 Mar 2010 15:23:29 -0400 Subject: [PATCH] Nut policy from Dan Walsh Dropped optional policy for shutdown_domtrans Dropped commented can_exec line --- policy/modules/services/nut.te | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te index 20d42542..fd7f95a5 100644 --- a/policy/modules/services/nut.te +++ b/policy/modules/services/nut.te @@ -29,7 +29,8 @@ files_pid_file(nut_var_run_t) # Local policy for upsd # -allow nut_upsd_t self:capability { setgid setuid }; +allow nut_upsd_t self:capability { setgid setuid dac_override }; + allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; @@ -86,6 +87,7 @@ corenet_tcp_connect_generic_port(nut_upsmon_t) # Creates /etc/killpower files_manage_etc_runtime_files(nut_upsmon_t) files_etc_filetrans_etc_runtime(nut_upsmon_t, file) +files_search_usr(nut_upsmon_t) # /usr/bin/wall term_write_all_terms(nut_upsmon_t) @@ -100,6 +102,8 @@ auth_use_nsswitch(nut_upsmon_t) miscfiles_read_localization(nut_upsmon_t) +mta_send_mail(nut_upsmon_t) + ######################################## # # Local policy for upsdrvctl @@ -149,5 +153,15 @@ optional_policy(` read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) + corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) + corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) + corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) + corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) + corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) + corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) + corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) + corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) + + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) ')