[selinux-policy: 2106/3172] trunk: 5 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:06:52 UTC 2010
commit 153fe24bdcd42270cbb00442a18b47f08f2039f6
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Apr 7 14:09:43 2009 +0000
trunk: 5 patches from dan.
Changelog | 2 +
policy/modules/admin/logrotate.te | 2 +-
policy/modules/roles/webadm.fc | 1 +
policy/modules/roles/webadm.if | 50 +++++++++++++++++++++++++++++++++
policy/modules/roles/webadm.te | 56 +++++++++++++++++++++++++++++++++++++
policy/modules/services/git.fc | 3 ++
policy/modules/services/git.if | 1 +
policy/modules/services/git.te | 9 ++++++
policy/modules/system/raid.te | 3 ++
policy/modules/system/udev.if | 18 ++++++++++++
policy/modules/system/udev.te | 4 ++
11 files changed, 148 insertions(+), 1 deletions(-)
---
diff --git a/Changelog b/Changelog
index 436ab35..0a76432 100644
--- a/Changelog
+++ b/Changelog
@@ -12,8 +12,10 @@
- Remove node definitions and change node usage to generic nodes.
- Add kernel_service access vectors, from Stephen Smalley.
- Added modules:
+ git (Dan Walsh)
gues (Dan Walsh)
logadm (Dan Walsh)
+ webadm (Dan Walsh)
xguest (Dan Walsh)
zosremote (Dan Walsh)
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 0a0aab2..fe696de 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -187,5 +187,5 @@ optional_policy(`
')
optional_policy(`
- squid_signal(logrotate_t)
+ squid_domtrans(logrotate_t)
')
diff --git a/policy/modules/roles/webadm.fc b/policy/modules/roles/webadm.fc
new file mode 100644
index 0000000..d46378a
--- /dev/null
+++ b/policy/modules/roles/webadm.fc
@@ -0,0 +1 @@
+# No webadm file contexts.
diff --git a/policy/modules/roles/webadm.if b/policy/modules/roles/webadm.if
new file mode 100644
index 0000000..cc34f8b
--- /dev/null
+++ b/policy/modules/roles/webadm.if
@@ -0,0 +1,50 @@
+## <summary>Web administrator role</summary>
+
+########################################
+## <summary>
+## Change to the web administrator role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`webadm_role_change',`
+ gen_require(`
+ role webadm_r;
+ ')
+
+ allow $1 webadm_r;
+')
+
+########################################
+## <summary>
+## Change from the web administrator role.
+## </summary>
+## <desc>
+## <p>
+## Change from the web administrator role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`webadm_role_change_to',`
+ gen_require(`
+ role webadm_r;
+ ')
+
+ allow webadm_r $1;
+')
diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
new file mode 100644
index 0000000..0214c54
--- /dev/null
+++ b/policy/modules/roles/webadm.te
@@ -0,0 +1,56 @@
+
+policy_module(webadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow webadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(webadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow webadm to read files in users home directories
+## </p>
+## </desc>
+gen_tunable(webadm_read_user_files, false)
+
+role webadm_r;
+
+userdom_base_user_template(webadm)
+
+########################################
+#
+# webadmin local policy
+#
+
+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+files_dontaudit_search_all_dirs(webadm_t)
+files_manage_generic_locks(webadm_t)
+files_list_var(webadm_t)
+
+selinux_get_enforce_mode(webadm_t)
+seutil_domtrans_setfiles(webadm_t)
+
+logging_send_syslog_msg(webadm_t)
+
+userdom_dontaudit_search_user_home_dirs(webadm_t)
+
+#apache_admin(webadm_t, webadm_r)
+
+tunable_policy(`webadm_manage_user_files',`
+ userdom_manage_user_home_content_files(webadm_t)
+ userdom_read_user_tmp_files(webadm_t)
+ userdom_write_user_tmp_files(webadm_t)
+')
+
+tunable_policy(`webadm_read_user_files',`
+ userdom_read_user_home_content_files(webadm_t)
+ userdom_read_user_tmp_files(webadm_t)
+')
diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
new file mode 100644
index 0000000..2821565
--- /dev/null
+++ b/policy/modules/services/git.fc
@@ -0,0 +1,3 @@
+/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
+/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
new file mode 100644
index 0000000..458aac6
--- /dev/null
+++ b/policy/modules/services/git.if
@@ -0,0 +1 @@
+## <summary>GIT revision control system</summary>
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
new file mode 100644
index 0000000..64dd65a
--- /dev/null
+++ b/policy/modules/services/git.te
@@ -0,0 +1,9 @@
+
+policy_module(git, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(git)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 3937837..ea5b7be 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -49,6 +49,9 @@ storage_manage_fixed_disk(mdadm_t)
storage_dev_filetrans_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
+mls_file_read_all_levels(mdadm_t)
+mls_file_write_all_levels(mdadm_t)
+
term_dontaudit_list_ptys(mdadm_t)
# Helper program access
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index e1f3c65..beec752 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -20,6 +20,24 @@ interface(`udev_domtrans',`
########################################
## <summary>
+## Execute udev in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_exec',`
+ gen_require(`
+ type udev_exec_t;
+ ')
+
+ can_exec($1, udev_exec_t)
+')
+
+########################################
+## <summary>
## Execute a udev helper in the udev domain.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f51a3af..324001a 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -181,6 +181,10 @@ ifdef(`distro_redhat',`
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
+
+ optional_policy(`
+ unconfined_domain(udev_t)
+ ')
')
optional_policy(`
More information about the scm-commits
mailing list