[selinux-policy: 2106/3172] trunk: 5 patches from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:06:52 UTC 2010 

commit 153fe24bdcd42270cbb00442a18b47f08f2039f6
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Apr 7 14:09:43 2009 +0000

    trunk: 5 patches from dan.

 Changelog                         |    2 +
 policy/modules/admin/logrotate.te |    2 +-
 policy/modules/roles/webadm.fc    |    1 +
 policy/modules/roles/webadm.if    |   50 +++++++++++++++++++++++++++++++++
 policy/modules/roles/webadm.te    |   56 +++++++++++++++++++++++++++++++++++++
 policy/modules/services/git.fc    |    3 ++
 policy/modules/services/git.if    |    1 +
 policy/modules/services/git.te    |    9 ++++++
 policy/modules/system/raid.te     |    3 ++
 policy/modules/system/udev.if     |   18 ++++++++++++
 policy/modules/system/udev.te     |    4 ++
 11 files changed, 148 insertions(+), 1 deletions(-)
---
diff --git a/Changelog b/Changelog
index 436ab35..0a76432 100644
--- a/Changelog
+++ b/Changelog
@@ -12,8 +12,10 @@
 - Remove node definitions and change node usage to generic nodes.
 - Add kernel_service access vectors, from Stephen Smalley.
 - Added modules:
+	git (Dan Walsh)
 	gues (Dan Walsh)
 	logadm (Dan Walsh)
+	webadm (Dan Walsh)
 	xguest (Dan Walsh)
 	zosremote (Dan Walsh)
 
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 0a0aab2..fe696de 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -187,5 +187,5 @@ optional_policy(`
 ')
 
 optional_policy(`
-	squid_signal(logrotate_t)
+	squid_domtrans(logrotate_t)
 ')
diff --git a/policy/modules/roles/webadm.fc b/policy/modules/roles/webadm.fc
new file mode 100644
index 0000000..d46378a
--- /dev/null
+++ b/policy/modules/roles/webadm.fc
@@ -0,0 +1 @@
+# No webadm file contexts.
diff --git a/policy/modules/roles/webadm.if b/policy/modules/roles/webadm.if
new file mode 100644
index 0000000..cc34f8b
--- /dev/null
+++ b/policy/modules/roles/webadm.if
@@ -0,0 +1,50 @@
+## <summary>Web administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the web administrator role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`webadm_role_change',`
+	gen_require(`
+		role webadm_r;
+	')
+
+	allow $1 webadm_r;
+')
+
+########################################
+## <summary>
+##	Change from the web administrator role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the web administrator role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`webadm_role_change_to',`
+	gen_require(`
+		role webadm_r;
+	')
+
+	allow webadm_r $1;
+')
diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
new file mode 100644
index 0000000..0214c54
--- /dev/null
+++ b/policy/modules/roles/webadm.te
@@ -0,0 +1,56 @@
+
+policy_module(webadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow webadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(webadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow webadm to read files in users home directories
+## </p>   
+## </desc>
+gen_tunable(webadm_read_user_files, false)
+
+role webadm_r;
+
+userdom_base_user_template(webadm)
+
+########################################
+#
+# webadmin local policy
+#
+
+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+files_dontaudit_search_all_dirs(webadm_t)
+files_manage_generic_locks(webadm_t)
+files_list_var(webadm_t)
+
+selinux_get_enforce_mode(webadm_t)
+seutil_domtrans_setfiles(webadm_t)
+
+logging_send_syslog_msg(webadm_t)
+
+userdom_dontaudit_search_user_home_dirs(webadm_t)
+
+#apache_admin(webadm_t, webadm_r)
+
+tunable_policy(`webadm_manage_user_files',`
+	userdom_manage_user_home_content_files(webadm_t)
+	userdom_read_user_tmp_files(webadm_t)
+	userdom_write_user_tmp_files(webadm_t)
+')
+
+tunable_policy(`webadm_read_user_files',`
+	userdom_read_user_home_content_files(webadm_t)
+	userdom_read_user_tmp_files(webadm_t)
+')
diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
new file mode 100644
index 0000000..2821565
--- /dev/null
+++ b/policy/modules/services/git.fc
@@ -0,0 +1,3 @@
+/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
+/var/lib/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
new file mode 100644
index 0000000..458aac6
--- /dev/null
+++ b/policy/modules/services/git.if
@@ -0,0 +1 @@
+## <summary>GIT revision control system</summary>
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
new file mode 100644
index 0000000..64dd65a
--- /dev/null
+++ b/policy/modules/services/git.te
@@ -0,0 +1,9 @@
+
+policy_module(git, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(git)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 3937837..ea5b7be 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -49,6 +49,9 @@ storage_manage_fixed_disk(mdadm_t)
 storage_dev_filetrans_fixed_disk(mdadm_t)
 storage_read_scsi_generic(mdadm_t)
 
+mls_file_read_all_levels(mdadm_t)
+mls_file_write_all_levels(mdadm_t)
+
 term_dontaudit_list_ptys(mdadm_t)
 
 # Helper program access
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index e1f3c65..beec752 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -20,6 +20,24 @@ interface(`udev_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute udev in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_exec',`
+	gen_require(`
+		type udev_exec_t;
+	')
+
+	can_exec($1, udev_exec_t)
+')
+
+########################################
+## <summary>
 ##	Execute a udev helper in the udev domain.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f51a3af..324001a 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -181,6 +181,10 @@ ifdef(`distro_redhat',`
 
 	# for arping used for static IP addresses on PCMCIA ethernet
 	netutils_domtrans(udev_t)
+
+	optional_policy(`
+		unconfined_domain(udev_t)
+	')
 ')
 
 optional_policy(`

More information about the scm-commits mailing list