From: Dan Walsh Date: Thu, 14 Jul 2011 19:28:50 +0000 (-0400) Subject: dgrift did a more confined mechanism of allowing gkeyringd to talk to mission_control X-Git-Tag: 000~711 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d0cd1a5805976e78b0a636652098fd3ab878f5d2;p=people%2Fstevee%2Fselinux-policy.git dgrift did a more confined mechanism of allowing gkeyringd to talk to mission_control --- diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if index 718b7ffc..b7bb827d 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -105,7 +105,6 @@ interface(`gnome_role_gkeyringd',` optional_policy(` telepathy_mission_control_read_state($1_gkeyringd_t) - telepathy_dbus_chat($1_gkeyringd_t) ') ') ') diff --git a/policy/modules/services/ctdbd.fc b/policy/modules/services/ctdbd.fc new file mode 100644 index 00000000..a7c4f1ed --- /dev/null +++ b/policy/modules/services/ctdbd.fc @@ -0,0 +1,14 @@ + +/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0) + +/var/log/log.ctdb gen_context(system_u:object_r:ctdbd_log_t,s0) + +/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) + +/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0) + +/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) + +/var/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) +/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) + diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if new file mode 100644 index 00000000..33173902 --- /dev/null +++ b/policy/modules/services/ctdbd.if @@ -0,0 +1,236 @@ + +## policy for ctdbd + +######################################## +## +## Transition to ctdbd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ctdbd_domtrans',` + gen_require(` + type ctdbd_t, ctdbd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ctdbd_exec_t, ctdbd_t) +') + +######################################## +## +## Execute ctdbd server in the ctdbd domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ctdbd_initrc_domtrans',` + gen_require(` + type ctdbd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) +') + +######################################## +## +## Read ctdbd's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`ctdbd_read_log',` + gen_require(` + type ctdbd_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, ctdbd_log_t, ctdbd_log_t) +') + +######################################## +## +## Append to ctdbd log files. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ctdbd_append_log',` + gen_require(` + type ctdbd_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, ctdbd_log_t, ctdbd_log_t) +') + +######################################## +## +## Manage ctdbd log files +## +## +## +## Domain to not audit. +## +## +# +interface(`ctdbd_manage_log',` + gen_require(` + type ctdbd_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t) + manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t) + manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t) +') + +######################################## +## +## Search ctdbd lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`ctdbd_search_lib',` + gen_require(` + type ctdbd_var_lib_t; + ') + + allow $1 ctdbd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read ctdbd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ctdbd_read_lib_files',` + gen_require(` + type ctdbd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) +') + +######################################## +## +## Manage ctdbd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ctdbd_manage_lib_files',` + gen_require(` + type ctdbd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) +') + +######################################## +## +## Manage ctdbd lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`ctdbd_manage_lib_dirs',` + gen_require(` + type ctdbd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) +') + +######################################## +## +## Read ctdbd PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ctdbd_read_pid_files',` + gen_require(` + type ctdbd_var_run_t; + ') + + files_search_pids($1) + allow $1 ctdbd_var_run_t:file read_file_perms; +') + +######################################## +## +## All of the rules required to administrate +## an ctdbd environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`ctdbd_admin',` + gen_require(` + type ctdbd_t, ctdbd_initrc_exec_t; + type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; + ') + + allow $1 ctdbd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ctdbd_t) + + ctdbd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 ctdbd_initrc_exec_t system_r; + allow $2 system_r; + + logging_search_logs($1) + admin_pattern($1, ctdbd_log_t) + + files_search_var_lib($1) + admin_pattern($1, ctdbd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, ctdbd_var_run_t) +') + diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te new file mode 100644 index 00000000..8ce09c40 --- /dev/null +++ b/policy/modules/services/ctdbd.te @@ -0,0 +1,90 @@ +policy_module(ctdbd, 1.0.0) + +######################################## +# +# Declarations +# + +type ctdbd_t; +type ctdbd_exec_t; +init_daemon_domain(ctdbd_t, ctdbd_exec_t) + +permissive ctdbd_t; + +type ctdbd_initrc_exec_t; +init_script_file(ctdbd_initrc_exec_t) + +type ctdbd_log_t; +logging_log_file(ctdbd_log_t) + +type ctdbd_spool_t; +files_type(ctdbd_spool_t) + +type ctdbd_tmp_t; +files_tmp_file(ctdbd_tmp_t) + +type ctdbd_var_lib_t; +files_type(ctdbd_var_lib_t) + +type ctdbd_var_run_t; +files_pid_file(ctdbd_var_run_t) + +######################################## +# +# ctdbd local policy +# +allow ctdbd_t self:capability { chown ipc_lock sys_nice }; +allow ctdbd_t self:process { setpgid signal_perms setsched }; +allow ctdbd_t self:fifo_file rw_fifo_file_perms; +allow ctdbd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow ctdbd_t self:packet_socket create_socket_perms; +allow ctdbd_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) +manage_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) +logging_log_filetrans(ctdbd_t, ctdbd_log_t, { dir file } ) + +manage_sock_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t) +files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, sock_file) + +manage_dirs_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) +manage_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) +manage_lnk_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) +files_spool_filetrans(ctdbd_t, ctdbd_spool_t, { dir file }) + +manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) +manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) +files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, { dir file } ) + +manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) +manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) +files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, { dir file }) + +kernel_read_system_state(ctdbd_t) + +corenet_tcp_bind_generic_node(ctdbd_t) + +corecmd_exec_bin(ctdbd_t) +corecmd_exec_shell(ctdbd_t) + +domain_use_interactive_fds(ctdbd_t) +domain_dontaudit_read_all_domains_state(ctdbd_t) + +files_read_etc_files(ctdbd_t) + +iptables_domtrans(ctdbd_t) + +logging_send_syslog_msg(ctdbd_t) + +miscfiles_read_localization(ctdbd_t) + +sysnet_domtrans_ifconfig(ctdbd_t) + +# corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t) +# corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t) + +optional_policy(` + samba_initrc_domtrans(ctdbd_t) +') + +