add radvd, plus a few cleanups from sediff

2005-09-23 21:20:03 +00:00 · 2005-09-23 21:20:03 +00:00 · fa67570d9a
parent 842859260c
commit fa67570d9a
10 changed files with 137 additions and 9 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -1,6 +1,7 @@
 - Fix errors uncovered by sediff.
 - Added policies:
 	kudzu
+	radvd

 * Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
 - Make logrotate, sendmail, sshd, and rpm policies
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@ -29,7 +29,7 @@ allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow kudzu_t self:unix_dgram_socket create_socket_perms;
 allow kudzu_t self:udp_socket { create ioctl };

-allow kudzu_t kudzu_tmp_t:{ dir } create_file_perms;
+allow kudzu_t kudzu_tmp_t:dir create_file_perms;
 allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms;
 files_create_tmp_files(kudzu_t, kudzu_tmp_t, { file dir chr_file })

@ -81,7 +81,6 @@ domain_use_wide_inherit_fd(kudzu_t)

 files_search_var(kudzu_t)
 files_search_locks(kudzu_t)
-files_exec_etc_files(kudzu_t)
 files_manage_etc_files(kudzu_t)
 files_manage_etc_runtime_files(kudzu_t)
 files_manage_mnt_files(kudzu_t)
@ -98,8 +97,6 @@ init_use_fd(kudzu_t)
 init_use_script_pty(kudzu_t)
 init_unix_connect_script(kudzu_t)

-libs_exec_ld_so(kudzu_t)
-libs_exec_lib_files(kudzu_t)
 libs_use_ld_so(kudzu_t)
 libs_use_shared_libs(kudzu_t)
 # Read /usr/lib/gconv/gconv-modules.*
@ -110,6 +107,7 @@ logging_send_syslog_msg(kudzu_t)
 miscfiles_read_localization(kudzu_t)

 modutils_read_module_conf(kudzu_t)
+modutils_domtrans_insmod(kudzu_t)

 sysnet_read_config(kudzu_t)

@ -130,6 +128,10 @@ optional_policy(`gpm.te',`
 	gpm_getattr_gpmctl(kudzu_t)
 ')

+optional_policy(`nscd.te',`
+	nscd_use_socket(kudzu_t)
+')
+
 optional_policy(`selinuxutil.te',`
        seutil_sigchld_newrole(kudzu_t)
 ')
@ -139,6 +141,7 @@ optional_policy(`udev.te',`
 ')

 ifdef(`TODO',`
+allow kudzu_t modules_conf_t:file unlink;
 optional_policy(`rhgb.te',`
        rhgb_domain(kudzu_t)
 ')
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@ -43,6 +43,12 @@ interface(`nis_use_ypbind',`
 		corenet_tcp_connect_reserved_port($1)
 		corenet_tcp_connect_generic_port($1)
 		corenet_dontaudit_tcp_connect_all_reserved_ports($1)
+
+		sysnet_read_config($1)
+
+		optional_policy(`mount.te',`
+			mount_send_nfs_client_request($1)
+		')
 	',`
 		dontaudit $1 var_yp_t:dir search;
 	')
--- a/refpolicy/policy/modules/services/radvd.fc
+++ b/refpolicy/policy/modules/services/radvd.fc
@ -0,0 +1,7 @@
+
+/etc/radvd\.conf	--	context_template(system_u:object_r:radvd_etc_t,s0)
+
+/usr/sbin/radvd		--	context_template(system_u:object_r:radvd_exec_t,s0)
+
+/var/run/radvd\.pid	--	context_template(system_u:object_r:radvd_var_run_t,s0)
+/var/run/radvd(/.*)?		context_template(system_u:object_r:radvd_var_run_t,s0)
--- a/refpolicy/policy/modules/services/radvd.if
+++ b/refpolicy/policy/modules/services/radvd.if
@ -0,0 +1 @@
+## <summary>IPv6 router advertisement daemon</summary>
--- a/refpolicy/policy/modules/services/radvd.te
+++ b/refpolicy/policy/modules/services/radvd.te
@ -0,0 +1,102 @@
+
+policy_module(radvd,1.0)
+
+########################################
+#
+# Declarations
+#
+type radvd_t;
+type radvd_exec_t;
+init_daemon_domain(radvd_t,radvd_exec_t)
+
+type radvd_var_run_t;
+files_pid_file(radvd_var_run_t)
+
+type radvd_etc_t; #, usercanread;
+files_type(radvd_etc_t)
+
+########################################
+#
+# Local policy
+#
+allow radvd_t self:capability { setgid setuid net_raw };
+dontaudit radvd_t self:capability sys_tty_config;
+allow radvd_t self:process signal_perms;
+allow radvd_t self:unix_dgram_socket create_socket_perms;
+allow radvd_t self:unix_stream_socket create_socket_perms;
+allow radvd_t self:rawip_socket create_socket_perms;
+allow radvd_t self:tcp_socket create_stream_socket_perms;
+allow radvd_t self:udp_socket create_socket_perms;
+
+allow radvd_t radvd_etc_t:file { getattr read };
+
+allow radvd_t radvd_var_run_t:file create_file_perms;
+allow radvd_t radvd_var_run_t:dir rw_dir_perms;
+files_create_pid(radvd_t,radvd_var_run_t)
+
+kernel_read_kernel_sysctl(radvd_t)
+kernel_read_net_sysctl(radvd_t)
+kernel_read_network_state(radvd_t)
+kernel_read_system_state(radvd_t)
+
+corenet_tcp_sendrecv_all_if(radvd_t)
+corenet_udp_sendrecv_all_if(radvd_t)
+corenet_raw_sendrecv_all_if(radvd_t)
+corenet_tcp_sendrecv_all_nodes(radvd_t)
+corenet_udp_sendrecv_all_nodes(radvd_t)
+corenet_raw_sendrecv_all_nodes(radvd_t)
+corenet_tcp_sendrecv_all_ports(radvd_t)
+corenet_udp_sendrecv_all_ports(radvd_t)
+corenet_tcp_bind_all_nodes(radvd_t)
+corenet_udp_bind_all_nodes(radvd_t)
+
+dev_read_sysfs(radvd_t)
+
+fs_getattr_all_fs(radvd_t)
+fs_search_auto_mountpoints(radvd_t)
+
+term_dontaudit_use_console(radvd_t)
+
+domain_use_wide_inherit_fd(radvd_t)
+
+files_read_etc_files(radvd_t)
+files_list_usr(radvd_t)
+
+init_use_fd(radvd_t)
+init_use_script_pty(radvd_t)
+
+libs_use_ld_so(radvd_t)
+libs_use_shared_libs(radvd_t)
+
+logging_send_syslog_msg(radvd_t)
+
+miscfiles_read_localization(radvd_t)
+
+sysnet_read_config(radvd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(radvd_t)
+userdom_dontaudit_search_sysadm_home_dir(radvd_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(radvd_t)
+	term_dontaudit_use_generic_pty(radvd_t)
+	files_dontaudit_read_root_file(radvd_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(radvd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(radvd_t)
+')
+
+optional_policy(`udev.te',`
+	udev_read_db(radvd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(radvd_t)
+')
+')
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@ -118,6 +118,10 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(snmpd_t)
 ')

+optional_policy(`nis.te',`
+	nis_use_ypbind(snmpd_t)
+')
+
 optional_policy(`nscd.te',`
 	nscd_use_socket(snmpd_t)
 ')
@ -130,11 +134,6 @@ optional_policy(`udev.te', `
 	udev_read_db(snmpd_t)
 ')

-optional_policy(`nis.te',`
-	nis_use_ypbind(snmpd_t)
-')
-
-
 ifdef(`TODO',`
 can_udp_send(sysadm_t, snmpd_t)
 can_udp_send(snmpd_t, sysadm_t)
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -475,6 +475,7 @@ optional_policy(`mysql.te',`
 ')

 optional_policy(`nis.te',`
+	nis_use_ypbind(initrc_t)
 	nis_udp_sendto_ypbind(initrc_t)
 	nis_list_var_yp(initrc_t)
 ')
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@ -121,6 +121,10 @@ optional_policy(`mount.te',`
 	mount_domtrans(insmod_t)
 ')

+optional_policy(`nis.te',`
+	nis_use_ypbind(insmod_t)
+')
+
 optional_policy(`nscd.te',`
 	nscd_use_socket(insmod_t)
 ')
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@ -161,6 +161,10 @@ optional_policy(`hotplug.te',`
 	hotplug_read_config(udev_t)
 ')

+optional_policy(`nis.te',`
+	nis_use_ypbind(udev_t)
+')
+
 optional_policy(`nscd.te',`
 	nscd_use_socket(udev_t)
 ')
				`@ -0,0 +1 @@`
				`## <summary>IPv6 router advertisement daemon</summary>`