[selinux-policy: 3146/3172] Move c2s to run in jabber_router_t domain Other fixes for jabberd policy
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:39:44 UTC 2010
commit df488eda7b4e12bae4a5a2e684266f7b2782e7ed
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Sep 24 14:14:38 2010 +0200
Move c2s to run in jabber_router_t domain
Other fixes for jabberd policy
policy/modules/services/jabber.fc | 4 +-
policy/modules/services/jabber.te | 103 +++++++++++++++++--------------------
2 files changed, 49 insertions(+), 58 deletions(-)
---
diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
index 908eb91..deef4c7 100644
--- a/policy/modules/services/jabber.fc
+++ b/policy/modules/services/jabber.fc
@@ -4,9 +4,9 @@
# for new version of jabberd
/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 5f8840f..e184dff 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -30,6 +30,52 @@ files_pid_file(jabberd_var_run_t)
permissive jabberd_router_t;
permissive jabberd_t;
+######################################
+#
+# Local policy for jabberd-router and c2s components
+#
+
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+
+fs_getattr_all_fs(jabberd_router_t)
+
+miscfiles_read_certs(jabberd_router_t)
+
+optional_policy(`
+ kerberos_use(jabberd_router_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(jabberd_router_t)
+')
+
+#####################################
+#
+# Local policy for other jabberd components
+#
+
+kernel_read_system_state(jabberd_t)
+
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(jabberd_t)
+')
+
+optional_policy(`
+ udev_read_db(jabberd_t)
+')
+
#######################################
#
# Local policy for jabberd domains
@@ -62,6 +108,7 @@ corenet_tcp_bind_generic_node(jabberd_domain)
dev_read_urand(jabberd_domain)
dev_read_urand(jabberd_domain)
+dev_read_sysfs(jabberd_domain)
files_read_etc_files(jabberd_domain)
files_read_etc_runtime_files(jabberd_domain)
@@ -71,59 +118,3 @@ logging_send_syslog_msg(jabberd_domain)
miscfiles_read_localization(jabberd_domain)
sysnet_read_config(jabberd_domain)
-
-######################################
-#
-# Local policy for jabberd-router
-#
-
-allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
-
-corenet_tcp_bind_jabber_router_port(jabberd_router_t)
-corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
-
-optional_policy(`
- kerberos_use(jabberd_router_t)
-')
-
-########################################
-#
-# Local policy for jabberd
-#
-
-allow jabberd_t self:capability dac_override;
-dontaudit jabberd_t self:capability sys_tty_config;
-
-kernel_read_kernel_sysctls(jabberd_t)
-kernel_read_proc_symlinks(jabberd_t)
-kernel_read_system_state(jabberd_t)
-
-corenet_tcp_connect_jabber_router_port(jabberd_t)
-corenet_tcp_bind_jabber_client_port(jabberd_t)
-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
-
-dev_read_sysfs(jabberd_t)
-# For SSL
-dev_read_rand(jabberd_t)
-
-domain_use_interactive_fds(jabberd_t)
-
-fs_getattr_all_fs(jabberd_t)
-fs_search_auto_mountpoints(jabberd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-userdom_dontaudit_search_user_home_dirs(jabberd_t)
-
-optional_policy(`
- nis_use_ypbind(jabberd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(jabberd_t)
-')
-
-optional_policy(`
- udev_read_db(jabberd_t)
-')
More information about the scm-commits
mailing list