[selinux-policy: 2027/3172] trunk: 8 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:00:00 UTC 2010
commit 967fd1ba3fc84abf45c320b6942ffd501ce84c43
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Oct 8 20:03:24 2008 +0000
trunk: 8 patches from dan.
Changelog | 1 +
policy/modules/services/amavis.fc | 4 +-
policy/modules/services/amavis.if | 31 +++++++++----
policy/modules/services/amavis.te | 9 +++-
policy/modules/services/automount.fc | 3 +-
policy/modules/services/automount.if | 77 ++++++++++++++++++++++++++++++++++
policy/modules/services/automount.te | 23 ++++++----
policy/modules/services/ftp.fc | 2 +
policy/modules/services/ftp.if | 71 +++++++++++++++++++++++++++++--
policy/modules/services/ftp.te | 11 ++++-
policy/modules/services/ldap.fc | 1 +
policy/modules/services/ldap.if | 46 ++++++++++++++++++++
policy/modules/services/ldap.te | 5 ++-
policy/modules/services/memcached.fc | 5 ++
policy/modules/services/memcached.if | 73 ++++++++++++++++++++++++++++++++
policy/modules/services/memcached.te | 50 ++++++++++++++++++++++
policy/modules/services/openvpn.fc | 3 +-
policy/modules/services/openvpn.if | 41 ++++++++++++++++++
policy/modules/services/openvpn.te | 17 +++++--
policy/modules/services/smartmon.fc | 4 +-
policy/modules/services/smartmon.if | 17 ++++++-
policy/modules/services/smartmon.te | 8 +++-
22 files changed, 458 insertions(+), 44 deletions(-)
---
diff --git a/Changelog b/Changelog
index dc008a9..f545b87 100644
--- a/Changelog
+++ b/Changelog
@@ -14,6 +14,7 @@
named pipe. Updated init_telinit() to match.
- Added modules:
cyphesis (Dan Walsh)
+ memcached (Dan Walsh)
oident (Dominick Grift)
w3c (Dan Walsh)
diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc
index 4533c2d..d96fdfa 100644
--- a/policy/modules/services/amavis.fc
+++ b/policy/modules/services/amavis.fc
@@ -1,8 +1,10 @@
/etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
-/etc/amavisd(/.*)? -- gen_context(system_u:object_r:amavis_etc_t,s0)
+/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0)
+/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
+/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
ifdef(`distro_debian',`
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index 2d2b263..3e5f6db 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@@ -197,6 +197,11 @@ interface(`amavis_create_pid_files',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
## <rolecap/>
#
interface(`amavis_admin',`
@@ -204,28 +209,34 @@ interface(`amavis_admin',`
type amavis_t, amavis_tmp_t, amavis_var_log_t;
type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
type amavis_etc_t, amavis_quarantine_t;
+ type amavis_initrc_exec_t;
')
allow $1 amavis_t:process { ptrace signal_perms };
ps_process_pattern($1, amavis_t)
-
- files_list_tmp($1)
- manage_files_pattern($1, amavis_tmp_t, amavis_tmp_t)
- manage_files_pattern($1, amavis_quarantine_t, amavis_quarantine_t)
+ init_labeled_script_domtrans($1, amavis_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 amavis_initrc_exec_t system_r;
+ allow $2 system_r;
files_list_etc($1)
- manage_files_pattern($1, amavis_etc_t, amavis_etc_t)
+ admin_pattern($1, amavis_etc_t)
- logging_list_logs($1)
- manage_files_pattern($1, amavis_var_log_t, amavis_var_log_t)
+ admin_pattern($1, amavis_quarantine_t)
files_list_spool($1)
- manage_files_pattern($1, amavis_spool_t, amavis_spool_t)
+ admin_pattern($1, amavis_spool_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, amavis_tmp_t)
files_list_var_lib($1)
- manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+ admin_pattern($1, amavis_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, amavis_var_log_t)
files_list_pids($1)
- manage_files_pattern($1, amavis_var_run_t, amavis_var_run_t)
+ admin_pattern($1, amavis_var_run_t)
')
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 463fefd..ad5b64e 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
-policy_module(amavis, 1.7.0)
+policy_module(amavis, 1.7.1)
########################################
#
@@ -13,7 +13,10 @@ init_daemon_domain(amavis_t, amavis_exec_t)
# configuration files
type amavis_etc_t;
-files_type(amavis_etc_t)
+files_config_file(amavis_etc_t)
+
+type amavis_initrc_exec_t;
+init_script_file(amavis_initrc_exec_t)
# pid files
type amavis_var_run_t;
@@ -57,6 +60,8 @@ allow amavis_t amavis_etc_t:dir list_dir_perms;
read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
+can_exec(amavis_t, amavis_exec_t)
+
# mail quarantine
manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
diff --git a/policy/modules/services/automount.fc b/policy/modules/services/automount.fc
index 4a150eb..f16ab68 100644
--- a/policy/modules/services/automount.fc
+++ b/policy/modules/services/automount.fc
@@ -2,6 +2,7 @@
# /etc
#
/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
+/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
#
# /usr
@@ -12,4 +13,4 @@
# /var
#
-/var/run/autofs(/.*)? gen_context(system_u:object_r:automount_var_run_t,s0)
+/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index fa34bf9..d4c517d 100644
--- a/policy/modules/services/automount.if
+++ b/policy/modules/services/automount.if
@@ -58,6 +58,42 @@ interface(`automount_read_state',`
########################################
## <summary>
+## Do not audit attempts to file descriptors for automount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`automount_dontaudit_use_fds',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ dontaudit $1 automount_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write automount daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`automount_dontaudit_write_pipes',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ dontaudit $1 automount_t:fifo_file write;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the attributes
## of automount temporary directories.
## </summary>
@@ -74,3 +110,44 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
dontaudit $1 automount_tmp_t:dir getattr;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an automount environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the automount domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`automount_admin',`
+ gen_require(`
+ type automount_t, automount_lock_t, automount_tmp_t;
+ type automount_var_run_t, automount_initrc_exec_t;
+ ')
+
+ allow $1 automount_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, automount_t)
+
+ init_labeled_script_domtrans($1, automount_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 automount_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var($1)
+ admin_pattern($1, automount_lock_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, automount_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, automount_var_run_t)
+')
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 8241f9f..7dd9861 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
-policy_module(automount, 1.9.0)
+policy_module(automount, 1.9.1)
########################################
#
@@ -10,6 +10,9 @@ type automount_t;
type automount_exec_t;
init_daemon_domain(automount_t, automount_exec_t)
+type automount_initrc_exec_t;
+init_script_file(automount_initrc_exec_t)
+
type automount_var_run_t;
files_pid_file(automount_var_run_t)
@@ -35,8 +38,6 @@ allow automount_t self:tcp_socket create_stream_socket_perms;
allow automount_t self:udp_socket create_socket_perms;
allow automount_t self:rawip_socket create_socket_perms;
-allow automount_t self:netlink_route_socket r_netlink_socket_perms;
-
can_exec(automount_t, automount_exec_t)
allow automount_t automount_lock_t:file manage_file_perms;
@@ -52,7 +53,8 @@ files_home_filetrans(automount_t, automount_tmp_t, dir)
files_root_filetrans(automount_t, automount_tmp_t, dir)
manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
-files_pid_filetrans(automount_t, automount_var_run_t, file)
+manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
+files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
kernel_read_kernel_sysctls(automount_t)
kernel_read_irq_sysctls(automount_t)
@@ -126,8 +128,12 @@ fs_unmount_autofs(automount_t)
fs_mount_autofs(automount_t)
fs_manage_autofs_symlinks(automount_t)
+storage_rw_fuse(automount_t)
+
term_dontaudit_getattr_pty_dirs(automount_t)
+auth_use_nsswitch(automount_t)
+
libs_use_ld_so(automount_t)
libs_use_shared_libs(automount_t)
@@ -140,10 +146,6 @@ miscfiles_read_certs(automount_t)
# Run mount in the mount_t domain.
mount_domtrans(automount_t)
-sysnet_dns_name_resolve(automount_t)
-sysnet_use_ldap(automount_t)
-sysnet_read_config(automount_t)
-
userdom_dontaudit_use_unpriv_user_fds(automount_t)
sysadm_dontaudit_search_home_dirs(automount_t)
@@ -163,11 +165,12 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(automount_t)
+ rpc_search_nfs_state_data(automount_t)
')
optional_policy(`
- rpc_search_nfs_state_data(automount_t)
+ samba_read_config(automount_t)
+ samba_manage_var_files(automount_t)
')
optional_policy(`
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
index 5ea69a0..983f90e 100644
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
@@ -3,6 +3,8 @@
#
/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
#
# /usr
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 5383ed1..63c9801 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -28,11 +28,13 @@ template(`ftp_per_role_template',`
type ftpd_t;
')
- userdom_manage_user_home_content_files($1, ftpd_t)
- userdom_manage_user_home_content_symlinks($1, ftpd_t)
- userdom_manage_user_home_content_sockets($1, ftpd_t)
- userdom_manage_user_home_content_pipes($1, ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file })
+ tunable_policy(`ftp_home_dir',`
+ userdom_manage_user_home_content_files($1, ftpd_t)
+ userdom_manage_user_home_content_symlinks($1, ftpd_t)
+ userdom_manage_user_home_content_sockets($1, ftpd_t)
+ userdom_manage_user_home_content_pipes($1, ftpd_t)
+ userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file })
+ ')
')
########################################
@@ -155,3 +157,62 @@ interface(`ftp_run_ftpdctl',`
role $2 types ftpdctl_t;
allow ftpdctl_t $3:chr_file rw_term_perms;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ftp environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the ftp domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the ftpdctl domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ftp_admin',`
+ gen_require(`
+ type ftpd_t, ftpdctl_t, ftpd_tmp_t;
+ type ftpd_etc_t, ftpd_lock_t;
+ type ftpd_var_run_t, xferlog_t;
+ type ftpd_initrc_exec_t;
+ ')
+
+ allow $1 ftpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ftpd_t)
+
+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ftpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ ps_process_pattern($1, ftpdctl_t)
+ ftp_run_ftpdctl($1, $2, $3)
+
+ miscfiles_manage_public_files($1)
+
+ files_list_tmp($1)
+ admin_pattern($1, ftpd_tmp_t)
+
+ files_list_etc($1)
+ admin_pattern($1, ftpd_etc_t)
+
+ files_list_var($1)
+ admin_pattern($1, ftpd_lock_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ftpd_var_run_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, xferlog_t)
+')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 7d08ac3..bc0a4d4 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
-policy_module(ftp, 1.8.0)
+policy_module(ftp, 1.8.1)
########################################
#
@@ -53,6 +53,9 @@ init_daemon_domain(ftpd_t, ftpd_exec_t)
type ftpd_etc_t;
files_config_file(ftpd_etc_t)
+type ftpd_initrc_exec_t;
+init_script_file(ftpd_initrc_exec_t)
+
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
@@ -106,9 +109,10 @@ manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
-files_pid_filetrans(ftpd_t, ftpd_var_run_t, file)
+files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
@@ -123,6 +127,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
+kernel_search_network_state(ftpd_t)
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
@@ -169,7 +174,9 @@ init_rw_utmp(ftpd_t)
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
+logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
+logging_set_loginuid(ftpd_t)
miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index 53d71e0..c62f23e 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
@@ -1,5 +1,6 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
+/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index 8d5edff..23d1c3f 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -73,3 +73,49 @@ interface(`ldap_stream_connect',`
allow $1 slapd_var_run_t:sock_file write;
allow $1 slapd_t:unix_stream_socket connectto;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ldap environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the ldap domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ldap_admin',`
+ gen_require(`
+ type slapd_t, slapd_tmp_t, slapd_replog_t;
+ type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
+ type slapd_initrc_exec_t;
+ ')
+
+ allow $1 slapd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, slapd_t)
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 slapd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, slapd_etc_t)
+
+ admin_pattern($1, slapd_lock_t)
+
+ admin_pattern($1, slapd_replog_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, slapd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, slapd_var_run_t)
+')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index 862d1f8..90f13fb 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
-policy_module(ldap, 1.7.0)
+policy_module(ldap, 1.7.1)
########################################
#
@@ -19,6 +19,9 @@ files_type(slapd_db_t)
type slapd_etc_t;
files_config_file(slapd_etc_t)
+type slapd_initrc_exec_t;
+init_script_file(slapd_initrc_exec_t)
+
type slapd_lock_t;
files_lock_file(slapd_lock_t)
diff --git a/policy/modules/services/memcached.fc b/policy/modules/services/memcached.fc
new file mode 100644
index 0000000..4d69477
--- /dev/null
+++ b/policy/modules/services/memcached.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/memcached -- gen_context(system_u:object_r:memcached_initrc_exec_t,s0)
+
+/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0)
+
+/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
new file mode 100644
index 0000000..8d4a94e
--- /dev/null
+++ b/policy/modules/services/memcached.if
@@ -0,0 +1,73 @@
+## <summary>high-performance memory object caching system</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run memcached.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`memcached_domtrans',`
+ gen_require(`
+ type memcached_t;
+ type memcached_exec_t;
+ ')
+
+ domtrans_pattern($1,memcached_exec_t,memcached_t)
+')
+
+########################################
+## <summary>
+## Read memcached PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`memcached_read_pid_files',`
+ gen_require(`
+ type memcached_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 memcached_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an memcached environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the memcached domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`memcached_admin',`
+ gen_require(`
+ type memcached_t;
+ type memcached_initrc_exec_t;
+ ')
+
+ allow $1 memcached_t:process { ptrace signal_perms };
+ ps_process_pattern($1, memcached_t)
+
+ init_labeled_script_domtrans($1, memcached_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 memcached_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, memcached_var_run_t)
+')
diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te
new file mode 100644
index 0000000..cf3a8f0
--- /dev/null
+++ b/policy/modules/services/memcached.te
@@ -0,0 +1,50 @@
+
+policy_module(memcached, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type memcached_t;
+type memcached_exec_t;
+init_daemon_domain(memcached_t, memcached_exec_t)
+
+type memcached_initrc_exec_t;
+init_script_file(memcached_initrc_exec_t)
+
+type memcached_var_run_t;
+files_pid_file(memcached_var_run_t)
+
+########################################
+#
+# memcached local policy
+#
+
+allow memcached_t self:capability { setuid setgid };
+allow memcached_t self:tcp_socket create_stream_socket_perms;
+allow memcached_t self:udp_socket { create_socket_perms listen };
+allow memcached_t self:fifo_file rw_fifo_file_perms;
+
+corenet_all_recvfrom_unlabeled(memcached_t)
+corenet_udp_sendrecv_all_if(memcached_t)
+corenet_udp_sendrecv_all_nodes(memcached_t)
+corenet_udp_sendrecv_all_ports(memcached_t)
+corenet_udp_bind_all_nodes(memcached_t)
+corenet_tcp_sendrecv_all_if(memcached_t)
+corenet_tcp_sendrecv_all_nodes(memcached_t)
+corenet_tcp_sendrecv_all_ports(memcached_t)
+corenet_tcp_bind_all_nodes(memcached_t)
+
+manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+files_pid_filetrans(memcached_t,memcached_var_run_t, { file dir })
+
+files_read_etc_files(memcached_t)
+
+libs_use_ld_so(memcached_t)
+libs_use_shared_libs(memcached_t)
+
+miscfiles_read_localization(memcached_t)
+
+sysnet_dns_name_resolve(memcached_t)
diff --git a/policy/modules/services/openvpn.fc b/policy/modules/services/openvpn.fc
index bbcd6c6..405b5bc 100644
--- a/policy/modules/services/openvpn.fc
+++ b/policy/modules/services/openvpn.fc
@@ -2,6 +2,7 @@
# /etc
#
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
#
# /usr
@@ -11,5 +12,5 @@
#
# /var
#
-/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0)
+/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
index 54c09b8..f448846 100644
--- a/policy/modules/services/openvpn.if
+++ b/policy/modules/services/openvpn.if
@@ -90,3 +90,44 @@ interface(`openvpn_read_config',`
read_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an openvpn environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the openvpn domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`openvpn_admin',`
+ gen_require(`
+ type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
+ type openvpn_var_run_t, openvpn_initrc_exec_t;
+ ')
+
+ allow $1 openvpn_t:process { ptrace signal_perms };
+ ps_process_pattern($1, openvpn_t)
+
+ init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 openvpn_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, openvpn_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, openvpn_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, openvpn_var_run_t)
+')
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 8306732..116a59b 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,5 +1,5 @@
-policy_module(openvpn, 1.5.0)
+policy_module(openvpn, 1.5.1)
########################################
#
@@ -20,7 +20,10 @@ init_daemon_domain(openvpn_t, openvpn_exec_t)
# configuration files
type openvpn_etc_t;
-files_type(openvpn_etc_t)
+files_config_file(openvpn_etc_t)
+
+type openvpn_initrc_exec_t;
+init_script_file(openvpn_initrc_exec_t)
# log files
type openvpn_var_log_t;
@@ -35,7 +38,7 @@ files_pid_file(openvpn_var_run_t)
# openvpn local policy
#
-allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
+allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -45,6 +48,7 @@ allow openvpn_t self:tcp_socket server_stream_socket_perms;
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
+can_exec(openvpn_t, openvpn_etc_t)
read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
@@ -74,9 +78,12 @@ corenet_tcp_bind_all_nodes(openvpn_t)
corenet_udp_bind_all_nodes(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
-corenet_sendrecv_openvpn_server_packets(openvpn_t)
-corenet_rw_tun_tap_dev(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
+corenet_tcp_connect_http_port(openvpn_t)
+corenet_rw_tun_tap_dev(openvpn_t)
+corenet_sendrecv_openvpn_server_packets(openvpn_t)
+corenet_sendrecv_openvpn_client_packets(openvpn_t)
+corenet_sendrecv_http_client_packets(openvpn_t)
dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
diff --git a/policy/modules/services/smartmon.fc b/policy/modules/services/smartmon.fc
index a8863e8..268ae3d 100644
--- a/policy/modules/services/smartmon.fc
+++ b/policy/modules/services/smartmon.fc
@@ -1,7 +1,9 @@
+/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
+
#
# /usr
#
-/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
+/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
#
# /var
diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
index b695c2e..8566394 100644
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@@ -28,19 +28,30 @@ interface(`smartmon_read_tmp_files',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
## <rolecap/>
#
interface(`smartmon_admin',`
gen_require(`
type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
+ type fsdaemon_initrc_exec_t;
')
allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, fsdaemon_t)
-
+
+ init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 fsdaemon_initrc_exec_t system_r;
+ allow $2 system_r;
+
files_list_tmp($1)
- manage_files_pattern($1, fsdaemon_tmp_t, fsdaemon_tmp_t)
+ admin_pattern($1, fsdaemon_tmp_t)
files_list_pids($1)
- manage_files_pattern($1, fsdaemon_var_run_t, fsdaemon_var_run_t)
+ admin_pattern($1, fsdaemon_var_run_t)
')
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 6bc6573..d9c874d 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -1,5 +1,5 @@
-policy_module(smartmon, 1.6.0)
+policy_module(smartmon, 1.6.1)
########################################
#
@@ -10,6 +10,9 @@ type fsdaemon_t;
type fsdaemon_exec_t;
init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
+type fsdaemon_initrc_exec_t;
+init_script_file(fsdaemon_initrc_exec_t)
+
type fsdaemon_var_run_t;
files_pid_file(fsdaemon_var_run_t)
@@ -28,6 +31,7 @@ allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
allow fsdaemon_t self:udp_socket create_socket_perms;
+allow fsdaemon_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
@@ -78,7 +82,7 @@ logging_send_syslog_msg(fsdaemon_t)
miscfiles_read_localization(fsdaemon_t)
-sysnet_read_config(fsdaemon_t)
+sysnet_dns_name_resolve(fsdaemon_t)
userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
More information about the scm-commits
mailing list