[selinux-policy: 1398/3172] add authbind, bug 1516

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:06:16 UTC 2010 

commit b6b5747bac2ba6d8a0827ee9b556363f56aa6a26
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Apr 27 18:11:26 2006 +0000

    add authbind, bug 1516

 refpolicy/Changelog                       |    1 +
 refpolicy/policy/modules/apps/authbind.fc |    3 ++
 refpolicy/policy/modules/apps/authbind.if |   23 ++++++++++++++++++
 refpolicy/policy/modules/apps/authbind.te |   36 +++++++++++++++++++++++++++++
 4 files changed, 63 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index ab3793c..08b3f25 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -37,6 +37,7 @@
 	apt (Erich Schubert)
 	asterisk
 	audioentropy
+	authbind
 	backup
 	calamaris
 	cipe
diff --git a/refpolicy/policy/modules/apps/authbind.fc b/refpolicy/policy/modules/apps/authbind.fc
new file mode 100644
index 0000000..af7a8e0
--- /dev/null
+++ b/refpolicy/policy/modules/apps/authbind.fc
@@ -0,0 +1,3 @@
+/etc/authbind(/.*)?			gen_require(system_u:object_r:authbind_etc_t,s0)
+
+/usr/lib(64)?/authbind/helper	--	gen_require(system_u:object_r:authbind_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/authbind.if b/refpolicy/policy/modules/apps/authbind.if
new file mode 100644
index 0000000..84134d0
--- /dev/null
+++ b/refpolicy/policy/modules/apps/authbind.if
@@ -0,0 +1,23 @@
+## <summary>Tool for non-root processes to bind to reserved ports</summary>
+
+########################################
+## <summary>
+##	Use authbind to bind to a reserved port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authbind_domtrans',`
+	gen_require(`
+		type authbind_t, authbind_exec_t;
+	')
+
+	domain_auto_trans($1,authbind_exec_t,authbind_t)
+	allow authbind_t $1:fd use;
+	allow authbind_t $1:fifo_file rw_file_perms;
+	allow authbind_t $1:process sigchld;
+	allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
+')
diff --git a/refpolicy/policy/modules/apps/authbind.te b/refpolicy/policy/modules/apps/authbind.te
new file mode 100644
index 0000000..292dda2
--- /dev/null
+++ b/refpolicy/policy/modules/apps/authbind.te
@@ -0,0 +1,36 @@
+
+policy_module(authbind,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type authbind_t;
+type authbind_exec_t;
+domain_type(authbind_t)
+domain_entry_file(authbind_t,authbind_exec_t)
+role system_r types authbind_t;
+
+type authbind_etc_t;
+files_config_file(authbind_etc_t)
+
+########################################
+#
+# Local policy
+#
+
+allow authbind_t self:capability net_bind_service;
+
+can_exec(authbind_t, authbind_etc_t)
+allow authbind_t authbind_etc_t:file r_file_perms;
+allow authbind_t authbind_etc_t:dir r_dir_perms;
+allow authbind_t authbind_etc_t:lnk_file { getattr read };
+files_list_etc(authbind_t)
+
+term_use_console(authbind_t)
+
+logging_send_syslog_msg(authbind_t)
+
+libs_use_ld_so(authbind_t)
+libs_use_shared_libs(authbind_t)

More information about the scm-commits mailing list