[selinux-policy: 1102/3172] add daemontools, djbdns, publicfile, and ucspitcp from Petre Rodan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:40:04 UTC 2010
commit 44d5d93fb8bf6fdf01a66d404562b3a479a28ef9
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Jan 16 18:30:14 2006 +0000
add daemontools, djbdns, publicfile, and ucspitcp from Petre Rodan.
refpolicy/Changelog | 4 +
refpolicy/policy/modules/services/apache.te | 6 +-
refpolicy/policy/modules/services/djbdns.fc | 9 ++
refpolicy/policy/modules/services/djbdns.if | 53 ++++++++
refpolicy/policy/modules/services/djbdns.te | 47 +++++++
refpolicy/policy/modules/services/ftp.te | 6 +-
refpolicy/policy/modules/services/mysql.te | 15 +--
refpolicy/policy/modules/services/publicfile.fc | 7 +
refpolicy/policy/modules/services/publicfile.if | 1 +
refpolicy/policy/modules/services/publicfile.te | 39 ++++++
refpolicy/policy/modules/services/rsync.te | 6 +-
refpolicy/policy/modules/services/spamassassin.te | 6 +-
refpolicy/policy/modules/services/ssh.te | 6 +-
refpolicy/policy/modules/services/stunnel.te | 4 +
refpolicy/policy/modules/services/ucspitcp.fc | 3 +
refpolicy/policy/modules/services/ucspitcp.if | 36 +++++
refpolicy/policy/modules/services/ucspitcp.te | 90 +++++++++++++
refpolicy/policy/modules/system/daemontools.fc | 48 +++++++
refpolicy/policy/modules/system/daemontools.if | 147 +++++++++++++++++++++
refpolicy/policy/modules/system/daemontools.te | 120 +++++++++++++++++
refpolicy/policy/modules/system/init.fc | 5 +-
refpolicy/policy/modules/system/init.te | 8 +-
refpolicy/policy/modules/system/logging.fc | 6 +
refpolicy/policy/modules/system/selinuxutil.te | 6 +-
24 files changed, 659 insertions(+), 19 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index ead8afb..275d6bc 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -14,7 +14,9 @@
alsa
automount
cdrecord
+ daemontools (Petre Rodan)
ddcprobe
+ djbdns (Petre Rodan)
fetchmail
irc
java
@@ -22,6 +24,7 @@
logwatch (Dan Walsh)
openct
prelink (Dan Walsh)
+ publicfile (Petre Rodan)
readahead
roundup
screen
@@ -29,6 +32,7 @@
slrnpull
smartmon
sysstat
+ ucspitcp (Petre Rodan)
usbmodules
vbetool (Dan Walsh)
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 0dcf3a2..a0cb9e7 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.1.2)
+policy_module(apache,1.1.3)
#
# NOTES:
@@ -395,6 +395,10 @@ tunable_policy(`httpd_tty_comm',`
userdom_dontaudit_use_sysadm_terms(httpd_t)
')
+optional_policy(`daemontools',`
+ daemontools_service_domain(httpd_t, httpd_exec_t)
+')
+
optional_policy(`kerberos',`
kerberos_use(httpd_t)
')
diff --git a/refpolicy/policy/modules/services/djbdns.fc b/refpolicy/policy/modules/services/djbdns.fc
new file mode 100644
index 0000000..fdb6652
--- /dev/null
+++ b/refpolicy/policy/modules/services/djbdns.fc
@@ -0,0 +1,9 @@
+
+/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0)
+/usr/bin/dnscache -- gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0)
+/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0)
+
+/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0)
+/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0)
+/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0)
+
diff --git a/refpolicy/policy/modules/services/djbdns.if b/refpolicy/policy/modules/services/djbdns.if
new file mode 100644
index 0000000..7f1bda3
--- /dev/null
+++ b/refpolicy/policy/modules/services/djbdns.if
@@ -0,0 +1,53 @@
+## <summary>small and secure DNS daemon</summary>
+
+########################################
+## <summary>
+## Create a set of derived types for djbdns
+## components that are directly supervised by daemontools.
+## </summary>
+## <param name="prefix">
+## The prefix to be used for deriving type names.
+## </param>
+#
+template(`djbdns_daemontools_domain_template',`
+
+ type djbdns_$1_t;
+ type djbdns_$1_exec_t;
+ type djbdns_$1_conf_t;
+ files_config_file(djbdns_$1_conf_t)
+
+ domain_type(djbdns_$1_t)
+ domain_entry_file(djbdns_$1_t,djbdns_$1_exec_t)
+ role system_r types djbdns_$1_t;
+
+ daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t)
+ daemontools_read_svc(djbdns_$1_t)
+
+ allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
+ allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
+ allow djbdns_$1_t self:udp_socket create_socket_perms;
+ allow djbdns_$1_t port_t:udp_socket name_bind;
+
+ allow djbdns_$1_t djbdns_$1_conf_t:dir r_dir_perms;
+ allow djbdns_$1_t djbdns_$1_conf_t:file r_file_perms;
+
+ corenet_tcp_sendrecv_all_if(djbdns_$1_t)
+ corenet_udp_sendrecv_all_if(djbdns_$1_t)
+ corenet_tcp_sendrecv_all_nodes(djbdns_$1_t)
+ corenet_udp_sendrecv_all_nodes(djbdns_$1_t)
+ corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_udp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_non_ipsec_sendrecv(djbdns_$1_t)
+ corenet_tcp_bind_all_nodes(djbdns_$1_t)
+ corenet_udp_bind_all_nodes(djbdns_$1_t)
+
+ corenet_tcp_bind_dns_port(djbdns_$1_t)
+ corenet_udp_bind_dns_port(djbdns_$1_t)
+
+ files_search_var(djbdns_$1_t)
+
+ libs_use_ld_so(djbdns_$1_t)
+ libs_use_shared_libs(djbdns_$1_t)
+
+')
+
diff --git a/refpolicy/policy/modules/services/djbdns.te b/refpolicy/policy/modules/services/djbdns.te
new file mode 100644
index 0000000..a51e8c6
--- /dev/null
+++ b/refpolicy/policy/modules/services/djbdns.te
@@ -0,0 +1,47 @@
+
+policy_module(djbdns,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type djbdns_axfrdns_t;
+type djbdns_axfrdns_exec_t;
+type djbdns_axfrdns_conf_t;
+domain_type(djbdns_axfrdns_t)
+domain_entry_file(djbdns_axfrdns_t,djbdns_axfrdns_exec_t)
+role system_r types djbdns_axfrdns_t;
+files_config_file(djbdns_axfrdns_conf_t)
+
+djbdns_daemontools_domain_template(dnscache)
+
+djbdns_daemontools_domain_template(tinydns)
+
+########################################
+#
+# Local policy for axfrdns component
+#
+
+files_config_file(djbdns_axfrdns_conf_t)
+
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
+allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
+
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir r_dir_perms;
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file r_file_perms;
+
+allow djbdns_axfrdns_t djbdns_tinydns_t:dir r_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_t:file r_file_perms;
+
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir r_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file r_file_perms;
+
+files_search_var(djbdns_axfrdns_t)
+
+libs_use_ld_so(djbdns_axfrdns_t)
+libs_use_shared_libs(djbdns_axfrdns_t)
+
+ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index d83523a..b00211c 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
-policy_module(ftp,1.1.1)
+policy_module(ftp,1.1.2)
########################################
#
@@ -193,6 +193,10 @@ optional_policy(`cron',`
')
')
+optional_policy(`daemontools',`
+ daemontools_service_domain(ftpd_t, ftpd_exec_t)
+')
+
optional_policy(`inetd',`
#reh: typeattributes not allowed in conditionals yet.
#tunable_policy(`! ftpd_is_daemon',`
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index bbfa13d..5ac8547 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -1,5 +1,5 @@
-policy_module(mysql,1.1.0)
+policy_module(mysql,1.1.1)
########################################
#
@@ -121,6 +121,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_file(mysqld_t)
')
+optional_policy(`daemontools',`
+ daemontools_service_domain(mysqld_t, mysqld_exec_t)
+')
+
optional_policy(`mount',`
mount_send_nfs_client_request(mysqld_t)
')
@@ -140,12 +144,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(mysqld_t)
')
-
-ifdef(`TODO',`
-optional_policy(`daemontools',`
- domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
- mysqld_signal(svc_start_t)
-
- svc_ipc_domain(mysqld_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/publicfile.fc b/refpolicy/policy/modules/services/publicfile.fc
new file mode 100644
index 0000000..5b20b68
--- /dev/null
+++ b/refpolicy/policy/modules/services/publicfile.fc
@@ -0,0 +1,7 @@
+
+/usr/bin/ftpd -- gen_context(system_u:object_r:publicfile_exec_t,s0)
+/usr/bin/httpd -- gen_context(system_u:object_r:publicfile_exec_t,s0)
+
+# this is the place where online content located
+# set this to suit your needs
+#/var/www(/.*)? gen_context(system_u:object_r:publicfile_content_t,s0)
diff --git a/refpolicy/policy/modules/services/publicfile.if b/refpolicy/policy/modules/services/publicfile.if
new file mode 100644
index 0000000..5b07592
--- /dev/null
+++ b/refpolicy/policy/modules/services/publicfile.if
@@ -0,0 +1 @@
+## <summary>publicfile supplies files to the public through HTTP and FTP</summary>
diff --git a/refpolicy/policy/modules/services/publicfile.te b/refpolicy/policy/modules/services/publicfile.te
new file mode 100644
index 0000000..ceab2ae
--- /dev/null
+++ b/refpolicy/policy/modules/services/publicfile.te
@@ -0,0 +1,39 @@
+
+policy_module(publicfile,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type publicfile_t;
+type publicfile_exec_t;
+init_system_domain(publicfile_t,publicfile_exec_t)
+role system_r types publicfile_t;
+
+type publicfile_content_t;
+files_type(publicfile_content_t)
+
+########################################
+#
+# Local policy
+#
+
+allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
+allow publicfile_t publicfile_content_t:dir r_dir_perms;
+allow publicfile_t publicfile_content_t:file r_file_perms;
+
+files_search_var(publicfile_t)
+
+libs_use_ld_so(publicfile_t)
+libs_use_shared_libs(publicfile_t)
+
+optional_policy(`daemontools',`
+ daemontools_ipc_domain(publicfile_t)
+')
+
+optional_policy(`ucspitcp',`
+ ucspitcp_service_domain(publicfile_t, publicfile_exec_t)
+')
+
+#allow publicfile_t initrc_t:tcp_socket { read write };
diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te
index d439016..cac34c8 100644
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@@ -1,5 +1,5 @@
-policy_module(rsync,1.1.0)
+policy_module(rsync,1.1.2)
########################################
#
@@ -87,6 +87,10 @@ tunable_policy(`allow_rsync_anon_write',`
miscfiles_manage_public_files(rsync_t)
')
+optional_policy(`daemontools',`
+ daemontools_service_domain(rsync_t, rsync_exec_t)
+')
+
optional_policy(`kerberos',`
kerberos_use(rsync_t)
')
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index db4955f..9cd121c 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
-policy_module(spamassassin,1.1.1)
+policy_module(spamassassin,1.1.2)
########################################
#
@@ -136,6 +136,10 @@ optional_policy(`cron',`
cron_system_entry(spamd_t,spamd_exec_t)
')
+optional_policy(`daemontools',`
+ daemontools_service_domain(spamd_t,spamd_exec_t)
+')
+
optional_policy(`nis',`
nis_use_ypbind(spamd_t)
')
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index e0697b8..79a51c7 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh,1.1.1)
+policy_module(ssh,1.1.2)
########################################
#
@@ -113,6 +113,10 @@ ifdef(`targeted_policy',`',`
userdom_signal_unpriv_users(sshd_t)
')
+ optional_policy(`daemontools',`
+ daemontools_service_domain(sshd_t, sshd_exec_t)
+ ')
+
optional_policy(`rpm',`
rpm_use_script_fd(sshd_t)
')
diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te
index 923c05c..07f2551 100644
--- a/refpolicy/policy/modules/services/stunnel.te
+++ b/refpolicy/policy/modules/services/stunnel.te
@@ -103,6 +103,10 @@ ifdef(`distro_gentoo', `
files_dontaudit_read_root_file(stunnel_t)
')
+ optional_policy(`daemontools',`
+ daemontools_service_domain(stunnel_t, stunnel_exec_t)
+ ')
+
optional_policy(`mount',`
mount_send_nfs_client_request(stunnel_t)
')
diff --git a/refpolicy/policy/modules/services/ucspitcp.fc b/refpolicy/policy/modules/services/ucspitcp.fc
new file mode 100644
index 0000000..667d0b5
--- /dev/null
+++ b/refpolicy/policy/modules/services/ucspitcp.fc
@@ -0,0 +1,3 @@
+
+/usr/bin/rblsmtpd -- gen_context(system_u:object_r:rblsmtpd_exec_t,s0)
+/usr/bin/tcpserver -- gen_context(system_u:object_r:ucspitcp_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/ucspitcp.if b/refpolicy/policy/modules/services/ucspitcp.if
new file mode 100644
index 0000000..0d1990d
--- /dev/null
+++ b/refpolicy/policy/modules/services/ucspitcp.if
@@ -0,0 +1,36 @@
+## <summary>ucspitcp policy</summary>
+## <desc>
+## <p>
+## Policy for DJB's ucspi-tcpd
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Define a specified domain as a ucspitcp service.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+## <param name="entrypoint">
+## The type associated with the process program.
+## </param>
+#
+interface(`ucspitcp_service_domain', `
+ gen_require(`
+ type ucspitcp_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1,$2)
+
+ role system_r types $1;
+
+ domain_auto_trans(ucspitcp_t, $2, $1)
+
+ allow $1 ucspitcp_t:fd use;
+ allow $1 ucspitcp_t:process sigchld;
+ allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
+')
+
diff --git a/refpolicy/policy/modules/services/ucspitcp.te b/refpolicy/policy/modules/services/ucspitcp.te
new file mode 100644
index 0000000..cdaa0fb
--- /dev/null
+++ b/refpolicy/policy/modules/services/ucspitcp.te
@@ -0,0 +1,90 @@
+
+policy_module(ucspitcp,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rblsmtpd_t;
+type rblsmtpd_exec_t;
+init_system_domain(rblsmtpd_t,rblsmtpd_exec_t)
+role system_r types rblsmtpd_t;
+
+type ucspitcp_t;
+type ucspitcp_exec_t;
+init_system_domain(ucspitcp_t,ucspitcp_exec_t)
+role system_r types ucspitcp_t;
+
+########################################
+#
+# Local policy for rblsmtpd
+#
+
+ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
+
+allow rblsmtpd_t self:process { fork sigchld };
+
+corecmd_search_bin(rblsmtpd_t)
+
+corenet_tcp_sendrecv_all_if(rblsmtpd_t)
+corenet_udp_sendrecv_all_if(rblsmtpd_t)
+corenet_tcp_sendrecv_all_nodes(rblsmtpd_t)
+corenet_udp_sendrecv_all_nodes(rblsmtpd_t)
+corenet_tcp_sendrecv_all_ports(rblsmtpd_t)
+corenet_udp_sendrecv_all_ports(rblsmtpd_t)
+corenet_non_ipsec_sendrecv(rblsmtpd_t)
+corenet_tcp_bind_all_nodes(rblsmtpd_t)
+corenet_udp_bind_generic_port(rblsmtpd_t)
+
+files_read_etc_files(rblsmtpd_t)
+files_search_var(rblsmtpd_t)
+
+libs_use_ld_so(rblsmtpd_t)
+libs_use_shared_libs(rblsmtpd_t)
+
+optional_policy(`daemontools',`
+ daemontools_ipc_domain(rblsmtpd_t)
+')
+
+########################################
+#
+# Local policy for tcpserver
+#
+
+allow ucspitcp_t self:capability { net_bind_service setgid setuid };
+allow ucspitcp_t self:fifo_file { read write };
+allow ucspitcp_t self:process { fork sigchld };
+allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
+
+corecmd_search_bin(ucspitcp_t)
+corecmd_search_sbin(ucspitcp_t)
+
+corenet_tcp_sendrecv_all_if(ucspitcp_t)
+corenet_udp_sendrecv_all_if(ucspitcp_t)
+corenet_tcp_sendrecv_all_nodes(ucspitcp_t)
+corenet_udp_sendrecv_all_nodes(ucspitcp_t)
+corenet_tcp_sendrecv_all_ports(ucspitcp_t)
+corenet_udp_sendrecv_all_ports(ucspitcp_t)
+corenet_non_ipsec_sendrecv(ucspitcp_t)
+corenet_tcp_bind_all_nodes(ucspitcp_t)
+corenet_tcp_bind_ftp_port(ucspitcp_t)
+corenet_tcp_bind_ftp_data_port(ucspitcp_t)
+corenet_tcp_bind_http_port(ucspitcp_t)
+corenet_tcp_bind_smtp_port(ucspitcp_t)
+corenet_tcp_bind_dns_port(ucspitcp_t)
+corenet_udp_bind_dns_port(ucspitcp_t)
+corenet_udp_bind_generic_port(ucspitcp_t)
+
+files_search_var(ucspitcp_t)
+files_read_etc_files(ucspitcp_t)
+
+libs_use_ld_so(ucspitcp_t)
+libs_use_shared_libs(ucspitcp_t)
+
+sysnet_read_config(ucspitcp_t)
+
+optional_policy(`daemontools',`
+ daemontools_service_domain(ucspitcp_t,ucspitcp_exec_t)
+ daemontools_read_svc(ucspitcp_t)
+')
diff --git a/refpolicy/policy/modules/system/daemontools.fc b/refpolicy/policy/modules/system/daemontools.fc
new file mode 100644
index 0000000..7b7968b
--- /dev/null
+++ b/refpolicy/policy/modules/system/daemontools.fc
@@ -0,0 +1,48 @@
+#
+# /service
+#
+
+/service(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+
+#
+# /usr
+#
+
+/usr/bin/envdir -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/envuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/fghack -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/multilog -- gen_context(system_u:object_r:svc_multilog_exec_t,s0)
+/usr/bin/pgrphack -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/setlock -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/setuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/softlimit -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/svc -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svok -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svscan -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svscanboot -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/supervise -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+
+#
+# /var
+#
+
+/var/axfrdns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/axfrdns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/axfrdns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/axfrdns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
+
+/var/dnscache(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/dnscache/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
+/var/dnscache/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/dnscache/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
+/var/service/.*/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
+/var/service/.*/log/main(/.*)? gen_context(system_u:object_r:svc_log_t,s0)
+/var/service/.*/log/run gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/service/.*/run.* gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/tinydns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/tinydns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/tinydns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/tinydns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
diff --git a/refpolicy/policy/modules/system/daemontools.if b/refpolicy/policy/modules/system/daemontools.if
new file mode 100644
index 0000000..6bb1348
--- /dev/null
+++ b/refpolicy/policy/modules/system/daemontools.if
@@ -0,0 +1,147 @@
+## <summary>Collection of tools for managing UNIX services</summary>
+## <desc>
+## <p>
+## Policy for DJB's daemontools
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## An ipc channel between the supervised domain and svc_start_t
+## </summary>
+## <param name="domain">
+## Domain allowed access to svc_start_t.
+## </param>
+#
+interface(`daemontools_ipc_domain',`
+ gen_require(`
+ type svc_start_t;
+ ')
+
+ allow $1 svc_start_t:process sigchld;
+ allow $1 svc_start_t:fd use;
+ allow $1 svc_start_t:fifo_file { read write getattr };
+ allow svc_start_t $1:process signal;
+')
+
+########################################
+## <summary>
+## Define a specified domain as a supervised service.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+## <param name="entrypoint">
+## The type associated with the process program.
+## </param>
+#
+interface(`daemontools_service_domain',`
+ gen_require(`
+ type svc_run_t;
+ ')
+
+ domain_auto_trans(svc_run_t, $2, $1)
+ daemontools_ipc_domain($1)
+
+ allow svc_run_t $1:process signal;
+ allow $1 svc_run_t:fd use;
+')
+
+########################################
+## <summary>
+## Execute in the svc_start_t domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`daemontools_domtrans_start',`
+ gen_require(`
+ type svc_start_t, svc_start_exec_t;
+ ')
+
+ domain_auto_trans($1, svc_start_exec_t, svc_start_t)
+
+ allow $1 svc_start_t:fd use;
+ allow svc_start_t $1:fd use;
+ allow svc_start_t $1:fifo_file rw_file_perms;
+ allow svc_start_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute in the svc_run_t domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`daemontools_domtrans_run',`
+ gen_require(`
+ type svc_run_t, svc_run_exec_t;
+ ')
+
+ domain_auto_trans($1, svc_run_exec_t, svc_run_t)
+
+ allow $1 svc_run_t:fd use;
+ allow svc_run_t $1:fd use;
+ allow svc_run_t $1:fifo_file rw_file_perms;
+ allow svc_run_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute in the svc_multilog_t domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`daemontools_domtrans_multilog',`
+ gen_require(`
+ type svc_multilog_t, svc_multilog_exec_t;
+ ')
+
+ domain_auto_trans($1, svc_multilog_exec_t, svc_multilog_t)
+
+ allow $1 svc_multilog_t:fd use;
+ allow svc_multilog_t $1:fd use;
+ allow svc_multilog_t $1:fifo_file rw_file_perms;
+ allow svc_multilog_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow a domain to read svc_svc_t files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`daemontools_read_svc',`
+ gen_require(`
+ type svc_svc_t;
+ ')
+
+ allow $1 svc_svc_t:dir r_dir_perms;
+ allow $1 svc_svc_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow a domain to create svc_svc_t files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`daemontools_manage_svc',`
+ gen_require(`
+ type svc_svc_t;
+ ')
+
+ allow $1 svc_svc_t:dir create_dir_perms;
+ allow $1 svc_svc_t:fifo_file create_file_perms;
+ allow $1 svc_svc_t:file create_file_perms;
+ allow $1 svc_svc_t:lnk_file { read create };
+')
diff --git a/refpolicy/policy/modules/system/daemontools.te b/refpolicy/policy/modules/system/daemontools.te
new file mode 100644
index 0000000..037c993
--- /dev/null
+++ b/refpolicy/policy/modules/system/daemontools.te
@@ -0,0 +1,120 @@
+
+policy_module(daemontools,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type svc_conf_t;
+files_type(svc_conf_t)
+
+type svc_log_t;
+files_type(svc_log_t)
+
+type svc_multilog_t;
+type svc_multilog_exec_t;
+domain_type(svc_multilog_t)
+domain_entry_file(svc_multilog_t,svc_multilog_exec_t)
+role system_r types svc_multilog_t;
+
+type svc_run_t;
+type svc_run_exec_t;
+domain_type(svc_run_t)
+domain_entry_file(svc_run_t,svc_run_exec_t)
+role system_r types svc_run_t;
+
+type svc_start_t;
+type svc_start_exec_t;
+init_domain(svc_start_t,svc_start_exec_t)
+init_system_domain(svc_start_t,svc_start_exec_t)
+role system_r types svc_start_t;
+
+type svc_svc_t;
+files_type(svc_svc_t)
+
+########################################
+#
+# multilog local policy
+#
+
+# multilog creates /service/*/log/status
+allow svc_multilog_t svc_svc_t:dir rw_dir_perms;
+allow svc_multilog_t svc_svc_t:file create_file_perms;
+
+init_use_fd(svc_multilog_t)
+
+libs_use_ld_so(svc_multilog_t)
+libs_use_shared_libs(svc_multilog_t)
+
+# writes to /var/log/*/*
+logging_manage_generic_logs(svc_multilog_t)
+
+daemontools_ipc_domain(svc_multilog_t)
+
+########################################
+#
+# local policy for binaries that impose
+# a given environment to supervised daemons
+# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
+#
+
+allow svc_run_t self:capability { setgid setuid chown fsetid };
+allow svc_run_t self:process setrlimit;
+allow svc_run_t self:fifo_file rw_file_perms;
+allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+
+allow svc_run_t svc_conf_t:dir r_dir_perms;
+allow svc_run_t svc_conf_t:file r_file_perms;
+
+can_exec(svc_run_t svc_run_exec_t)
+
+kernel_read_system_state(svc_run_t)
+
+corecmd_exec_bin(svc_run_t)
+corecmd_exec_sbin(svc_run_t)
+corecmd_exec_shell(svc_run_t)
+corecmd_exec_ls(svc_run_t)
+
+files_read_etc_files(svc_run_t)
+files_read_etc_runtime_files(svc_run_t)
+files_search_pids(svc_run_t)
+files_search_var_lib(svc_run_t)
+
+init_use_script_fd(svc_run_t)
+init_use_fd(svc_run_t)
+
+libs_use_ld_so(svc_run_t)
+libs_use_shared_libs(svc_run_t)
+
+daemontools_domtrans_multilog(svc_run_t)
+daemontools_read_svc(svc_run_t)
+
+########################################
+#
+# local policy for service monitoring programs
+# ie svc, svscan, supervise ...
+#
+
+allow svc_start_t svc_run_t:process signal;
+
+allow svc_start_t self:fifo_file rw_file_perms;
+allow svc_start_t self:capability kill;
+allow svc_start_t self:unix_stream_socket create_socket_perms;
+
+can_exec(svc_start_t svc_start_exec_t)
+
+corecmd_read_sbin_symlink(svc_start_t)
+corecmd_exec_bin(svc_start_t)
+corecmd_exec_shell(svc_start_t)
+
+files_read_etc_files(svc_start_t)
+files_read_etc_runtime_files(svc_start_t)
+files_search_var(svc_start_t)
+files_search_pids(svc_start_t)
+
+libs_use_ld_so(svc_start_t)
+libs_use_shared_libs(svc_start_t)
+
+daemontools_domtrans_run(svc_start_t)
+daemontools_manage_svc(svc_start_t)
diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc
index 895a601..8a11fb6 100644
--- a/refpolicy/policy/modules/system/init.fc
+++ b/refpolicy/policy/modules/system/init.fc
@@ -25,9 +25,11 @@ ifdef(`targeted_policy', `', `
/sbin/init -- gen_context(system_u:object_r:init_exec_t,s0)
ifdef(`distro_gentoo', `
-/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
/sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0)
/sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/svcinit -- gen_context(system_u:object_r:initrc_exec_t,s0)
')
#
@@ -41,6 +43,7 @@ ifdef(`distro_gentoo', `
#
ifdef(`distro_gentoo', `
/var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
+/var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
/var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 308a0b8..062a7b4 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.1.3)
+policy_module(init,1.1.4)
gen_require(`
class passwd rootok;
@@ -386,7 +386,7 @@ userdom_read_all_user_files(initrc_t)
# started from init should be placed in their own domain.
userdom_use_sysadm_terms(initrc_t)
-ifdef(`distro_debian', `
+ifdef(`distro_debian',`
dev_setattr_dev_dir(initrc_t)
fs_filetrans_tmpfs(initrc_t,initrc_var_run_t,dir)
@@ -512,6 +512,10 @@ optional_policy(`cups',`
cups_read_log(initrc_t)
')
+optional_policy(`daemontools',`
+ daemontools_manage_svc(initrc_t)
+')
+
optional_policy(`dbus',`
dbus_connect_system_bus(initrc_t)
dbus_send_system_bus_msg(initrc_t)
diff --git a/refpolicy/policy/modules/system/logging.fc b/refpolicy/policy/modules/system/logging.fc
index 7d07518..934c86e 100644
--- a/refpolicy/policy/modules/system/logging.fc
+++ b/refpolicy/policy/modules/system/logging.fc
@@ -19,6 +19,9 @@ ifdef(`distro_suse', `
/var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
+/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
/var/log/audit.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
@@ -29,3 +32,6 @@ ifdef(`distro_suse', `
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+
+/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index b9cb9e8..8f1d53f 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.0.1)
+policy_module(selinuxutil,1.0.2)
gen_require(`
bool secure_mode;
@@ -449,6 +449,10 @@ ifdef(`targeted_policy',`',`
miscfiles_read_localization(run_init_t)
logging_send_syslog_msg(run_init_t)
+
+ optional_policy(`daemontools',`
+ daemontools_domtrans_start(run_init_t)
+ ')
') dnl end ifdef targeted policy
ifdef(`TODO',`
More information about the scm-commits
mailing list