Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy

author Dan Walsh <dwalsh@redhat.com>

Tue, 17 May 2011 08:59:29 +0000 (10:59 +0200)

committer Dan Walsh <dwalsh@redhat.com>

Tue, 17 May 2011 08:59:29 +0000 (10:59 +0200)
author Dan Walsh <dwalsh@redhat.com>
Tue, 17 May 2011 08:59:29 +0000 (10:59 +0200)
committer Dan Walsh <dwalsh@redhat.com>
Tue, 17 May 2011 08:59:29 +0000 (10:59 +0200)
diff --cc policy/modules/admin/logrotate.te

index 2f3bab7e4a530a4a5cd2b406943d6eb750ed1799,2f3bab7e4a530a4a5cd2b406943d6eb750ed1799..890c1a4c75e6cdf18cd128236c74622221924d85
--- 1/policy/modules/admin/logrotate.te
--- 2/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@@ -157,6 -157,6 +157,10 @@@ optional_policy(
         bind_manage_cache(logrotate_t)
   ')
   
++optional_policy(`
++      callweaver_stream_connect(logrotate_t)
++')
++
   optional_policy(`
         consoletype_exec(logrotate_t)
   ')
diff --cc policy/modules/kernel/storage.if
Simple merge
diff --cc policy/modules/services/callweaver.fc

index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..75e79764f49572e940fc3a882d7bdb9ae044db93

new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/policy/modules/services/callweaver.fc
@@@ -1,0 -1,0 +1,33 @@@
++
++/etc/rc\.d/init\.d/callweaver --      gen_context(system_u:object_r:callweaver_initrc_exec_t,s0)
++
++
++/usr/sbin/callweaver          --      gen_context(system_u:object_r:callweaver_exec_t,s0)
++
++/var/lib/callweaver(/.*)?             gen_context(system_u:object_r:callweaver_var_lib_t,s0)
++
++/var/lib/callweaver/core(/.*)?                gen_context(system_u:object_r:callweaver_var_lib_t,s0)
++
++/var/lib/callweaver/coredump(/.*)?            gen_context(system_u:object_r:callweaver_var_lib_t,s0)
++
++/var/lib/callweaver/images(/.*)?              gen_context(system_u:object_r:callweaver_var_lib_t,s0)
++
++/var/lib/callweaver/keys(/.*)?                gen_context(system_u:object_r:callweaver_var_lib_t,s0)
++
++/var/lib/callweaver/moh(/.*)?         gen_context(system_u:object_r:callweaver_var_lib_t,s0)
++
++/var/lib/callweaver/ogi(/.*)?         gen_context(system_u:object_r:callweaver_var_lib_t,s0)
++
++/var/log/callweaver(/.*)?             gen_context(system_u:object_r:callweaver_log_t,s0)
++
++/var/log/callweaver/cdr-csv(/.*)?             gen_context(system_u:object_r:callweaver_log_t,s0)
++
++/var/log/callweaver/cdr-custom(/.*)?          gen_context(system_u:object_r:callweaver_log_t,s0)
++
++/var/run/callweaver(/.*)?             gen_context(system_u:object_r:callweaver_var_run_t,s0)
++
++/var/spool/callweaver(/.*)?           gen_context(system_u:object_r:callweaver_spool_t,s0)
++
++/var/spool/callweaver/outgoing(/.*)?          gen_context(system_u:object_r:callweaver_spool_t,s0)
++
++/var/spool/callweaver/voicemail(/.*)?         gen_context(system_u:object_r:callweaver_spool_t,s0)
diff --cc policy/modules/services/callweaver.if

index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..ed2ca1f31d3070ac734e73efdb56ef547b2b0802

new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/policy/modules/services/callweaver.if
@@@ -1,0 -1,0 +1,342 @@@
++
++## <summary>policy for callweaver</summary>
++
++
++########################################
++## <summary>
++##    Transition to callweaver.
++## </summary>
++## <param name="domain">
++## <summary>
++##    Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_domtrans',`
++      gen_require(`
++              type callweaver_t, callweaver_exec_t;
++      ')
++
++        corecmd_search_bin($1)
++      domtrans_pattern($1, callweaver_exec_t, callweaver_t)
++')
++
++
++########################################
++## <summary>
++##    Execute callweaver server in the callweaver domain.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++#
++interface(`callweaver_initrc_domtrans',`
++      gen_require(`
++              type callweaver_initrc_exec_t;
++      ')
++
++      init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
++')
++
++########################################
++## <summary>
++##    Read callweaver's log files.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++## <rolecap/>
++#
++interface(`callweaver_read_log',`
++      gen_require(`
++              type callweaver_log_t;
++      ')
++
++      logging_search_logs($1)
++        read_files_pattern($1, callweaver_log_t, callweaver_log_t)
++')
++
++########################################
++## <summary>
++##    Append to callweaver log files.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed to transition.
++##    </summary>
++## </param>
++#
++interface(`callweaver_append_log',`
++      gen_require(`
++              type callweaver_log_t;
++      ')
++
++      logging_search_logs($1)
++        append_files_pattern($1, callweaver_log_t, callweaver_log_t)
++')
++
++########################################
++## <summary>
++##    Manage callweaver log files
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain to not audit.
++##    </summary>
++## </param>
++#
++interface(`callweaver_manage_log',`
++      gen_require(`
++              type callweaver_log_t;
++      ')
++
++      logging_search_logs($1)
++        manage_dirs_pattern($1, callweaver_log_t, callweaver_log_t)
++        manage_files_pattern($1, callweaver_log_t, callweaver_log_t)
++        manage_lnk_files_pattern($1, callweaver_log_t, callweaver_log_t)
++')
++
++########################################
++## <summary>
++##    Search callweaver lib directories.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++#
++interface(`callweaver_search_lib',`
++      gen_require(`
++              type callweaver_var_lib_t;
++      ')
++
++      allow $1 callweaver_var_lib_t:dir search_dir_perms;
++      files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##    Read callweaver lib files.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++#
++interface(`callweaver_read_lib_files',`
++      gen_require(`
++              type callweaver_var_lib_t;
++      ')
++
++      files_search_var_lib($1)
++        read_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
++')
++
++########################################
++## <summary>
++##    Manage callweaver lib files.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++#
++interface(`callweaver_manage_lib_files',`
++      gen_require(`
++              type callweaver_var_lib_t;
++      ')
++
++      files_search_var_lib($1)
++        manage_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
++')
++
++########################################
++## <summary>
++##    Manage callweaver lib directories.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++#
++interface(`callweaver_manage_lib_dirs',`
++      gen_require(`
++              type callweaver_var_lib_t;
++      ')
++
++      files_search_var_lib($1)
++        manage_dirs_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
++')
++
++
++########################################
++## <summary>
++##    Read callweaver PID files.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++#
++interface(`callweaver_read_pid_files',`
++      gen_require(`
++              type callweaver_var_run_t;
++      ')
++
++      files_search_pids($1)
++      allow $1 callweaver_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++##    Connect to callweaver over an unix stream socket.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++#
++interface(`callweaver_stream_connect',`
++      gen_require(`
++              type callweaver_t, callweaver_var_run_t;
++      ')
++
++      files_search_pids($1)
++        stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t)
++')
++
++########################################
++## <summary>
++##    Search callweaver spool directories.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++#
++interface(`callweaver_search_spool',`
++      gen_require(`
++              type callweaver_spool_t;
++      ')
++
++      allow $1 callweaver_spool_t:dir search_dir_perms;
++      files_search_spool($1)
++')
++
++########################################
++## <summary>
++##    Read callweaver spool files.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++#
++interface(`callweaver_read_spool_files',`
++      gen_require(`
++              type callweaver_spool_t;
++      ')
++
++      files_search_spool($1)
++      read_files_pattern($1, callweaver_spool_t callweaver_spool_t)
++')
++
++########################################
++## <summary>
++##    Manage callweaver spool files.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++#
++interface(`callweaver_manage_spool_files',`
++      gen_require(`
++              type callweaver_spool_t;
++      ')
++
++      files_search_spool($1)
++      manage_files_pattern($1, callweaver_spool_t, callweaver_spool_t)
++')
++
++########################################
++## <summary>
++##    Manage callweaver spool dirs.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++#
++interface(`callweaver_manage_spool_dirs',`
++      gen_require(`
++              type callweaver_spool_t;
++      ')
++
++      files_search_spool($1)
++      manage_dirs_pattern($1, callweaver_spool_t, callweaver_spool_t)
++')
++
++
++########################################
++## <summary>
++##    All of the rules required to administrate
++##    an callweaver environment
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++## <param name="role">
++##    <summary>
++##    Role allowed access.
++##    </summary>
++## </param>
++## <rolecap/>
++#
++interface(`callweaver_admin',`
++      gen_require(`
++              type callweaver_t;
++              type callweaver_initrc_exec_t;
++                type callweaver_log_t;
++                type callweaver_var_lib_t;
++                type callweaver_var_run_t;
++                type callweaver_spool_t;
++      ')
++
++      allow $1 callweaver_t:process { ptrace signal_perms };
++      ps_process_pattern($1, callweaver_t)
++
++      callweaver_initrc_domtrans($1)
++      domain_system_change_exemption($1)
++      role_transition $2 callweaver_initrc_exec_t system_r;
++      allow $2 system_r;
++
++      logging_search_logs($1)
++      admin_pattern($1, callweaver_log_t)
++
++      files_search_var_lib($1)
++      admin_pattern($1, callweaver_var_lib_t)
++
++      files_search_pids($1)
++      admin_pattern($1, callweaver_var_run_t)
++
++      files_search_spool($1)
++      admin_pattern($1, callweaver_spool_t)
++
++')
diff --cc policy/modules/services/callweaver.te

index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..a67f73259da948cd8e2b317edba4949ac720224a

new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/policy/modules/services/callweaver.te
@@@ -1,0 -1,0 +1,79 @@@
++policy_module(callweaver,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type callweaver_t;
++type callweaver_exec_t;
++init_daemon_domain(callweaver_t, callweaver_exec_t)
++
++permissive callweaver_t;
++
++type callweaver_initrc_exec_t;
++init_script_file(callweaver_initrc_exec_t)
++
++type callweaver_log_t;
++logging_log_file(callweaver_log_t)
++
++type callweaver_var_lib_t;
++files_type(callweaver_var_lib_t)
++
++type callweaver_var_run_t;
++files_pid_file(callweaver_var_run_t)
++
++type callweaver_spool_t;
++files_type(callweaver_spool_t)
++
++########################################
++#
++# callweaver local policy
++#
++
++allow callweaver_t self:capability { setuid sys_nice setgid };
++allow callweaver_t self:process { setsched signal };
++allow callweaver_t self:fifo_file rw_fifo_file_perms;
++allow callweaver_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
++manage_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
++logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file } )
++
++manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
++manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
++files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file } )
++
++manage_dirs_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
++manage_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
++manage_sock_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
++files_pid_filetrans(callweaver_t, callweaver_var_run_t, { dir file sock_file })
++
++manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
++manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
++manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
++files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file })
++
++allow callweaver_t self:tcp_socket create_stream_socket_perms;
++allow callweaver_t self:udp_socket create_socket_perms;
++
++kernel_read_sysctl(callweaver_t)
++kernel_read_kernel_sysctls(callweaver_t)
++
++corenet_udp_bind_asterisk_port(callweaver_t)
++corenet_udp_bind_generic_port(callweaver_t)
++corenet_udp_bind_sip_port(callweaver_t)
++
++dev_manage_generic_symlinks(callweaver_t)
++
++domain_use_interactive_fds(callweaver_t)
++
++files_read_etc_files(callweaver_t)
++
++term_getattr_pty_fs(callweaver_t)
++term_use_generic_ptys(callweaver_t)
++term_use_ptmx(callweaver_t)
++
++auth_use_nsswitch(callweaver_t)
++
++miscfiles_read_localization(callweaver_t)
diff --cc policy/modules/system/init.te

index 22a5fdd0cea9cd3aab9beab33c6ab157369269cc,22a5fdd0cea9cd3aab9beab33c6ab157369269cc..787ac5101519763012e248d63c5be826c6c207f6
--- 1/policy/modules/system/init.te
--- 2/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@@ -480,6 -480,6 +480,7 @@@ dev_write_framebuffer(initrc_t
   dev_read_realtime_clock(initrc_t)
   dev_read_sound_mixer(initrc_t)
   dev_write_sound_mixer(initrc_t)
++dev_setattr_generic_dirs(initrc_t)
   dev_setattr_all_chr_files(initrc_t)
   dev_rw_lvm_control(initrc_t)
   dev_rw_generic_chr_files(initrc_t)
author	Dan Walsh <dwalsh@redhat.com>
	Tue, 17 May 2011 08:59:29 +0000 (10:59 +0200)
committer	Dan Walsh <dwalsh@redhat.com>
	Tue, 17 May 2011 08:59:29 +0000 (10:59 +0200)
		1	2
policy/modules/admin/logrotate.te	patch \|	diff1 \|	diff2 \|	blob \| history
policy/modules/kernel/storage.if	patch \|	diff1 \|	diff2 \|	blob \| history
policy/modules/services/callweaver.fc	patch \|	\|	\|	blob
policy/modules/services/callweaver.if	patch \|	\|	\|	blob
policy/modules/services/callweaver.te	patch \|	\|	\|	blob
policy/modules/system/init.te	patch \|	diff1 \|	diff2 \|	blob \| history