d542026b86
The capability IPC goes on top of the local policy. The capability IPC goes on top of the local policy. The capability IPC goes on top of the local policy. The capability IPC goes on top of the local policy.
117 lines
2.9 KiB
Plaintext
117 lines
2.9 KiB
Plaintext
policy_module(cvs, 1.9.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow cvs daemon to read shadow
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_cvs_read_shadow, false)
|
|
|
|
type cvs_t;
|
|
type cvs_exec_t;
|
|
inetd_tcp_service_domain(cvs_t, cvs_exec_t)
|
|
application_executable_file(cvs_exec_t)
|
|
role system_r types cvs_t;
|
|
|
|
type cvs_data_t; # customizable
|
|
files_type(cvs_data_t)
|
|
|
|
type cvs_initrc_exec_t;
|
|
init_script_file(cvs_initrc_exec_t)
|
|
|
|
type cvs_tmp_t;
|
|
files_tmp_file(cvs_tmp_t)
|
|
|
|
type cvs_var_run_t;
|
|
files_pid_file(cvs_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow cvs_t self:capability { setuid setgid };
|
|
allow cvs_t self:process signal_perms;
|
|
allow cvs_t self:fifo_file rw_fifo_file_perms;
|
|
allow cvs_t self:tcp_socket connected_stream_socket_perms;
|
|
# for identd; cjp: this should probably only be inetd_child rules?
|
|
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
|
|
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
|
|
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
|
|
manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
|
|
|
|
manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
|
|
manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
|
|
files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t)
|
|
files_pid_filetrans(cvs_t, cvs_var_run_t, file)
|
|
|
|
kernel_read_kernel_sysctls(cvs_t)
|
|
kernel_read_system_state(cvs_t)
|
|
kernel_read_network_state(cvs_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(cvs_t)
|
|
corenet_all_recvfrom_netlabel(cvs_t)
|
|
corenet_tcp_sendrecv_generic_if(cvs_t)
|
|
corenet_udp_sendrecv_generic_if(cvs_t)
|
|
corenet_tcp_sendrecv_generic_node(cvs_t)
|
|
corenet_udp_sendrecv_generic_node(cvs_t)
|
|
corenet_tcp_sendrecv_all_ports(cvs_t)
|
|
corenet_udp_sendrecv_all_ports(cvs_t)
|
|
|
|
dev_read_urand(cvs_t)
|
|
|
|
fs_getattr_xattr_fs(cvs_t)
|
|
|
|
auth_domtrans_chk_passwd(cvs_t)
|
|
auth_use_nsswitch(cvs_t)
|
|
|
|
corecmd_exec_bin(cvs_t)
|
|
corecmd_exec_shell(cvs_t)
|
|
|
|
files_read_etc_files(cvs_t)
|
|
files_read_etc_runtime_files(cvs_t)
|
|
# for identd; cjp: this should probably only be inetd_child rules?
|
|
files_search_home(cvs_t)
|
|
|
|
logging_send_syslog_msg(cvs_t)
|
|
logging_send_audit_msgs(cvs_t)
|
|
|
|
miscfiles_read_localization(cvs_t)
|
|
|
|
mta_send_mail(cvs_t)
|
|
|
|
# cjp: typeattribute doesnt work in conditionals yet
|
|
auth_can_read_shadow_passwords(cvs_t)
|
|
tunable_policy(`allow_cvs_read_shadow',`
|
|
allow cvs_t self:capability dac_override;
|
|
auth_tunable_read_shadow(cvs_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_keytab_template(cvs, cvs_t)
|
|
kerberos_read_config(cvs_t)
|
|
kerberos_dontaudit_write_config(cvs_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# CVSWeb policy
|
|
#
|
|
|
|
optional_policy(`
|
|
apache_content_template(cvs)
|
|
|
|
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
|
|
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
|
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
|
files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
|
|
')
|