[selinux-policy: 3146/3172] Move c2s to run in jabber_router_t domain Other fixes for jabberd policy

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:39:44 UTC 2010 

commit df488eda7b4e12bae4a5a2e684266f7b2782e7ed
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Fri Sep 24 14:14:38 2010 +0200

    Move c2s to run in jabber_router_t domain
    Other fixes for jabberd policy

 policy/modules/services/jabber.fc |    4 +-
 policy/modules/services/jabber.te |  103 +++++++++++++++++--------------------
 2 files changed, 49 insertions(+), 58 deletions(-)
---
diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
index 908eb91..deef4c7 100644
--- a/policy/modules/services/jabber.fc
+++ b/policy/modules/services/jabber.fc
@@ -4,9 +4,9 @@
 
 # for new version of jabberd
 /usr/bin/router         --      gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/sm             --      gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/c2s            --      gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/c2s            --      gen_context(system_u:object_r:jabberd_router_exec_t,s0)
 /usr/bin/s2s            --      gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/sm             --      gen_context(system_u:object_r:jabberd_exec_t,s0)
 
 /var/lib/jabberd(/.*)?           gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 5f8840f..e184dff 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -30,6 +30,52 @@ files_pid_file(jabberd_var_run_t)
 permissive jabberd_router_t;
 permissive jabberd_t;
 
+######################################
+#
+# Local policy for jabberd-router and c2s components
+#
+
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+
+fs_getattr_all_fs(jabberd_router_t)
+
+miscfiles_read_certs(jabberd_router_t)
+
+optional_policy(`
+        kerberos_use(jabberd_router_t)
+')
+
+optional_policy(`
+       nis_use_ypbind(jabberd_router_t)
+')
+
+#####################################
+#
+# Local policy for other jabberd components
+#
+
+kernel_read_system_state(jabberd_t)
+
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
+
+optional_policy(`
+       seutil_sigchld_newrole(jabberd_t)
+')
+
+optional_policy(`
+       udev_read_db(jabberd_t)
+')
+
 #######################################
 #
 # Local policy for jabberd domains
@@ -62,6 +108,7 @@ corenet_tcp_bind_generic_node(jabberd_domain)
 
 dev_read_urand(jabberd_domain)
 dev_read_urand(jabberd_domain)
+dev_read_sysfs(jabberd_domain)
 
 files_read_etc_files(jabberd_domain)
 files_read_etc_runtime_files(jabberd_domain)
@@ -71,59 +118,3 @@ logging_send_syslog_msg(jabberd_domain)
 miscfiles_read_localization(jabberd_domain)
 
 sysnet_read_config(jabberd_domain)
-
-######################################
-#
-# Local policy for jabberd-router
-#
-
-allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
-
-corenet_tcp_bind_jabber_router_port(jabberd_router_t)
-corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
-
-optional_policy(`
-	kerberos_use(jabberd_router_t)
-')
-
-########################################
-#
-# Local policy for jabberd
-#
-
-allow jabberd_t self:capability dac_override;
-dontaudit jabberd_t self:capability sys_tty_config;
-
-kernel_read_kernel_sysctls(jabberd_t)
-kernel_read_proc_symlinks(jabberd_t)
-kernel_read_system_state(jabberd_t)
-
-corenet_tcp_connect_jabber_router_port(jabberd_t)
-corenet_tcp_bind_jabber_client_port(jabberd_t)
-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
-
-dev_read_sysfs(jabberd_t)
-# For SSL
-dev_read_rand(jabberd_t)
-
-domain_use_interactive_fds(jabberd_t)
-
-fs_getattr_all_fs(jabberd_t)
-fs_search_auto_mountpoints(jabberd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-userdom_dontaudit_search_user_home_dirs(jabberd_t)
-
-optional_policy(`
-	nis_use_ypbind(jabberd_t)
-')
-
-optional_policy(`
-	seutil_sigchld_newrole(jabberd_t)
-')
-
-optional_policy(`
-	udev_read_db(jabberd_t)
-')

More information about the scm-commits mailing list