rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
7b61fe506d
selinux-policy/policy/modules/services/ricci.te
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore. 
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00

506 lines
13 KiB
Plaintext
Raw Blame History

policy_module(ricci,1.1.1)
########################################
#
# Declarations
#
type ricci_t;
type ricci_exec_t;
domain_type(ricci_t)
init_daemon_domain(ricci_t, ricci_exec_t)
# tmp files
type ricci_tmp_t;
files_tmp_file(ricci_tmp_t)
# var/lib files
type ricci_var_lib_t;
files_type(ricci_var_lib_t)
# log files
type ricci_var_log_t;
logging_log_file(ricci_var_log_t)
# pid files
type ricci_var_run_t;
files_pid_file(ricci_var_run_t)
type ricci_modcluster_t;
type ricci_modcluster_exec_t;
domain_type(ricci_modcluster_t)
domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
role system_r types ricci_modcluster_t;
# var/lib files
type ricci_modcluster_var_lib_t;
files_type(ricci_modcluster_var_lib_t)
# log files
type ricci_modcluster_var_log_t;
logging_log_file(ricci_modcluster_var_log_t)
# pid files
type ricci_modcluster_var_run_t;
files_pid_file(ricci_modcluster_var_run_t)
type ricci_modclusterd_t;
type ricci_modclusterd_exec_t;
domain_type(ricci_modclusterd_t)
init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
type ricci_modlog_t;
type ricci_modlog_exec_t;
domain_type(ricci_modlog_t)
domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t)
role system_r types ricci_modlog_t;
type ricci_modrpm_t;
type ricci_modrpm_exec_t;
domain_type(ricci_modrpm_t)
domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t)
role system_r types ricci_modrpm_t;
type ricci_modservice_t;
type ricci_modservice_exec_t;
domain_type(ricci_modservice_t)
domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t)
role system_r types ricci_modservice_t;
type ricci_modstorage_t;
type ricci_modstorage_exec_t;
domain_type(ricci_modstorage_t)
domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
role system_r types ricci_modstorage_t;
type ricci_modstorage_lock_t;
files_lock_file(ricci_modstorage_lock_t)
########################################
#
# ricci local policy
#
allow ricci_t self:capability { setuid sys_nice sys_boot };
allow ricci_t self:process setsched;
allow ricci_t self:fifo_file { read write };
allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ricci_t self:tcp_socket create_stream_socket_perms;
domain_auto_trans(ricci_t,ricci_modcluster_exec_t,ricci_modcluster_t)
domain_auto_trans(ricci_t,ricci_modlog_exec_t,ricci_modlog_t)
domain_auto_trans(ricci_t,ricci_modrpm_exec_t,ricci_modrpm_t)
domain_auto_trans(ricci_t,ricci_modservice_exec_t,ricci_modservice_t)
domain_auto_trans(ricci_t,ricci_modstorage_exec_t,ricci_modstorage_t)
# tmp file
manage_dirs_pattern(ricci_t,ricci_tmp_t,ricci_tmp_t)
manage_files_pattern(ricci_t,ricci_tmp_t,ricci_tmp_t)
files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
# var/lib files for ricci
manage_dirs_pattern(ricci_t,ricci_var_lib_t,ricci_var_lib_t)
manage_files_pattern(ricci_t,ricci_var_lib_t,ricci_var_lib_t)
manage_sock_files_pattern(ricci_t,ricci_var_lib_t,ricci_var_lib_t)
files_var_lib_filetrans(ricci_t,ricci_var_lib_t, { file dir sock_file })
# log files
allow ricci_t ricci_var_log_t:dir setattr;
manage_files_pattern(ricci_t,ricci_var_log_t,ricci_var_log_t)
manage_sock_files_pattern(ricci_t,ricci_var_log_t,ricci_var_log_t)
logging_log_filetrans(ricci_t,ricci_var_log_t,{ sock_file file dir })
# pid file
manage_files_pattern(ricci_t,ricci_var_run_t,ricci_var_run_t)
manage_sock_files_pattern(ricci_t,ricci_var_run_t,ricci_var_run_t)
files_pid_filetrans(ricci_t,ricci_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(ricci_t)
corecmd_exec_bin(ricci_t)
corenet_all_recvfrom_unlabeled(ricci_t)
corenet_all_recvfrom_netlabel(ricci_t)
corenet_tcp_sendrecv_all_if(ricci_t)
corenet_tcp_sendrecv_all_nodes(ricci_t)
corenet_tcp_sendrecv_all_ports(ricci_t)
corenet_tcp_bind_all_nodes(ricci_t)
corenet_udp_bind_all_nodes(ricci_t)
corenet_tcp_bind_ricci_port(ricci_t)
corenet_udp_bind_ricci_port(ricci_t)
corenet_tcp_connect_http_port(ricci_t)
dev_read_urand(ricci_t)
files_read_etc_files(ricci_t)
files_read_etc_runtime_files(ricci_t)
files_create_boot_flag(ricci_t)
auth_domtrans_chk_passwd(ricci_t)
auth_append_login_records(ricci_t)
init_dontaudit_stream_connect_script(ricci_t)
libs_use_ld_so(ricci_t)
libs_use_shared_libs(ricci_t)
locallogin_dontaudit_use_fds(ricci_t)
logging_send_syslog_msg(ricci_t)
miscfiles_read_localization(ricci_t)
sysnet_dns_name_resolve(ricci_t)
ifdef(`targeted_policy', `
term_dontaudit_use_generic_ptys(ricci_t)
term_dontaudit_use_unallocated_ttys(ricci_t)
')
optional_policy(`
ccs_read_config(ricci_t)
')
optional_policy(`
dbus_system_bus_client_template(ricci,ricci_t)
dbus_send_system_bus(ricci_t)
oddjob_dbus_chat(ricci_t)
')
optional_policy(`
# Needed so oddjob can run halt/reboot on behalf of ricci
corecmd_bin_entry_type(ricci_t)
term_dontaudit_search_ptys(ricci_t)
init_exec(ricci_t)
init_telinit(ricci_t)
init_rw_utmp(ricci_t)
oddjob_system_entry(ricci_t, ricci_exec_t)
')
optional_policy(`
rpm_use_script_fds(ricci_t)
')
optional_policy(`
sasl_connect(ricci_t)
')
optional_policy(`
unconfined_use_fds(ricci_t)
')
optional_policy(`
xen_domtrans_xm(ricci_t)
')
########################################
#
# ricci_modcluster local policy
#
allow ricci_modcluster_t self:capability sys_nice;
allow ricci_modcluster_t self:process setsched;
allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
kernel_read_kernel_sysctls(ricci_modcluster_t)
kernel_read_system_state(ricci_modcluster_t)
corecmd_exec_shell(ricci_modcluster_t)
corecmd_exec_bin(ricci_modcluster_t)
domain_dontaudit_read_all_domains_state(ricci_modcluster_t)
files_search_locks(ricci_modcluster_t)
files_read_etc_runtime_files(ricci_modcluster_t)
files_read_etc_files(ricci_modcluster_t)
files_search_usr(ricci_modcluster_t)
init_exec(ricci_modcluster_t)
init_domtrans_script(ricci_modcluster_t)
libs_use_ld_so(ricci_modcluster_t)
libs_use_shared_libs(ricci_modcluster_t)
logging_send_syslog_msg(ricci_modcluster_t)
miscfiles_read_localization(ricci_modcluster_t)
modutils_domtrans_insmod(ricci_modcluster_t)
mount_domtrans(ricci_modcluster_t)
ricci_stream_connect_modclusterd(ricci_modcluster_t)
optional_policy(`
ccs_stream_connect(ricci_modcluster_t)
ccs_domtrans(ricci_modcluster_t)
ccs_manage_config(ricci_modcluster_t)
')
optional_policy(`
consoletype_exec(ricci_modcluster_t)
')
optional_policy(`
lvm_domtrans(ricci_modcluster_t)
')
optional_policy(`
nscd_socket_use(ricci_modcluster_t)
')
optional_policy(`
oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
')
# XXX This has got to go.
unconfined_domain(ricci_modcluster_t)
########################################
#
# ricci_modclusterd local policy
#
allow ricci_modclusterd_t self:capability sys_nice;
allow ricci_modclusterd_t self:process { signal sigkill setsched };
allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
allow ricci_modclusterd_t self:netlink_route_socket r_netlink_socket_perms;
# cjp: this needs to be fixed for a specific socket type:
allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
# log files
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
manage_files_pattern(ricci_modclusterd_t,ricci_modcluster_var_log_t,ricci_modcluster_var_log_t)
manage_sock_files_pattern(ricci_modclusterd_t,ricci_modcluster_var_log_t,ricci_modcluster_var_log_t)
logging_log_filetrans(ricci_modclusterd_t,ricci_modcluster_var_log_t,{ sock_file file dir })
# pid file
manage_files_pattern(ricci_modclusterd_t,ricci_modcluster_var_run_t,ricci_modcluster_var_run_t)
manage_sock_files_pattern(ricci_modclusterd_t,ricci_modcluster_var_run_t,ricci_modcluster_var_run_t)
files_pid_filetrans(ricci_modclusterd_t,ricci_modcluster_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(ricci_modclusterd_t)
kernel_read_system_state(ricci_modclusterd_t)
corecmd_exec_bin(ricci_modclusterd_t)
corenet_tcp_sendrecv_all_if(ricci_modclusterd_t)
corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t)
corenet_tcp_bind_all_nodes(ricci_modclusterd_t)
corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
domain_dontaudit_read_all_domains_state(ricci_modclusterd_t)
files_read_etc_files(ricci_modclusterd_t)
files_read_etc_runtime_files(ricci_modclusterd_t)
fs_getattr_xattr_fs(ricci_modclusterd_t)
init_dontaudit_stream_connect_script(ricci_modclusterd_t)
libs_use_ld_so(ricci_modclusterd_t)
libs_use_shared_libs(ricci_modclusterd_t)
locallogin_dontaudit_use_fds(ricci_modclusterd_t)
logging_send_syslog_msg(ricci_modclusterd_t)
miscfiles_read_localization(ricci_modclusterd_t)
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
sysnet_dns_name_resolve(ricci_modclusterd_t)
ifdef(`targeted_policy', `
term_dontaudit_use_generic_ptys(ricci_modclusterd_t)
term_dontaudit_use_unallocated_ttys(ricci_modclusterd_t)
')
optional_policy(`
ccs_domtrans(ricci_modclusterd_t)
ccs_stream_connect(ricci_modclusterd_t)
ccs_read_config(ricci_modclusterd_t)
')
optional_policy(`
unconfined_use_fds(ricci_modclusterd_t)
')
########################################
#
# ricci_modlog local policy
#
allow ricci_modlog_t self:capability sys_nice;
allow ricci_modlog_t self:process setsched;
kernel_read_kernel_sysctls(ricci_modlog_t)
kernel_read_system_state(ricci_modlog_t)
corecmd_exec_bin(ricci_modlog_t)
domain_dontaudit_read_all_domains_state(ricci_modlog_t)
files_read_etc_files(ricci_modlog_t)
files_search_usr(ricci_modlog_t)
libs_use_ld_so(ricci_modlog_t)
libs_use_shared_libs(ricci_modlog_t)
logging_read_generic_logs(ricci_modlog_t)
miscfiles_read_localization(ricci_modlog_t)
optional_policy(`
nscd_dontaudit_search_pid(ricci_modlog_t)
')
optional_policy(`
oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t)
')
########################################
#
# ricci_modrpm local policy
#
allow ricci_modrpm_t self:fifo_file { getattr read };
kernel_read_kernel_sysctls(ricci_modrpm_t)
corecmd_exec_bin(ricci_modrpm_t)
libs_use_ld_so(ricci_modrpm_t)
libs_use_shared_libs(ricci_modrpm_t)
files_search_usr(ricci_modrpm_t)
files_read_etc_files(ricci_modrpm_t)
miscfiles_read_localization(ricci_modrpm_t)
optional_policy(`
oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
')
optional_policy(`
rpm_domtrans(ricci_modrpm_t)
')
########################################
#
# ricci_modservice local policy
#
allow ricci_modservice_t self:capability { dac_override sys_nice };
allow ricci_modservice_t self:fifo_file { getattr read write };
allow ricci_modservice_t self:process setsched;
kernel_read_kernel_sysctls(ricci_modservice_t)
kernel_read_system_state(ricci_modservice_t)
corecmd_exec_bin(ricci_modservice_t)
corecmd_exec_shell(ricci_modservice_t)
files_read_etc_files(ricci_modservice_t)
files_read_etc_runtime_files(ricci_modservice_t)
files_search_usr(ricci_modservice_t)
# Needed for running chkconfig
files_manage_etc_symlinks(ricci_modservice_t)
consoletype_exec(ricci_modservice_t)
init_domtrans_script(ricci_modservice_t)
libs_use_ld_so(ricci_modservice_t)
libs_use_shared_libs(ricci_modservice_t)
miscfiles_read_localization(ricci_modservice_t)
optional_policy(`
ccs_read_config(ricci_modservice_t)
')
optional_policy(`
nscd_dontaudit_search_pid(ricci_modservice_t)
')
optional_policy(`
oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t)
')
########################################
#
# ricci_modstorage local policy
#
allow ricci_modstorage_t self:process { setsched signal };
dontaudit ricci_modstorage_t self:process ptrace;
allow ricci_modstorage_t self:capability { mknod sys_nice };
allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
kernel_read_kernel_sysctls(ricci_modstorage_t)
kernel_read_system_state(ricci_modstorage_t)
create_files_pattern(ricci_modstorage_t,ricci_modstorage_lock_t,ricci_modstorage_lock_t)
files_lock_filetrans(ricci_modstorage_t,ricci_modstorage_lock_t,file)
corecmd_exec_bin(ricci_modstorage_t)
dev_read_sysfs(ricci_modstorage_t)
dev_read_urand(ricci_modstorage_t)
dev_manage_generic_blk_files(ricci_modstorage_t)
domain_dontaudit_read_all_domains_state(ricci_modstorage_t)
#Needed for editing /etc/fstab
files_manage_etc_files(ricci_modstorage_t)
files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
fstools_domtrans(ricci_modstorage_t)
libs_use_ld_so(ricci_modstorage_t)
libs_use_shared_libs(ricci_modstorage_t)
logging_send_syslog_msg(ricci_modstorage_t)
lvm_domtrans(ricci_modstorage_t)
lvm_manage_config(ricci_modstorage_t)
miscfiles_read_localization(ricci_modstorage_t)
modutils_read_module_deps(ricci_modstorage_t)
optional_policy(`
ccs_stream_connect(ricci_modstorage_t)
ccs_read_config(ricci_modstorage_t)
')
optional_policy(`
lvm_domtrans(ricci_modstorage_t)
')
optional_policy(`
nscd_socket_use(ricci_modstorage_t)
')
optional_policy(`
oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t)
')
optional_policy(`
raid_domtrans_mdadm(ricci_modstorage_t)
')
Reference in New Issue View Git Blame Copy Permalink