[selinux-policy: 1891/3172] trunk: 3 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:48:29 UTC 2010
commit ce8a5299a8ea363fecdd59cd55caeffa3657bb75
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Feb 5 17:41:53 2008 +0000
trunk: 3 patches from dan.
policy/modules/services/zabbix.if | 37 ++++++++++++++++++++++++++++
policy/modules/services/zebra.if | 48 +++++++++++++++++++++++++++++++++++-
policy/modules/services/zebra.te | 21 +++++++--------
policy/support/obj_perm_sets.spt | 2 +-
4 files changed, 94 insertions(+), 14 deletions(-)
---
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index 0bab20b..3360078 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -76,3 +76,40 @@ interface(`zabbix_read_pid_files',`
files_search_pids($1)
allow $1 zabbix_var_run_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an zabbix environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the zabbix domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the user terminal.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`zabbix_admin',`
+ gen_require(`
+ type zabbix_t, zabbix_log_t, zabbix_var_run_t;
+ ')
+
+ allow $1 zabbix_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, zabbix_t, zabbix_t)
+
+ logging_list_logs($1)
+ manage_files_pattern($1, zabbix_log_t, zabbix_log_t)
+
+ files_list_pids($1)
+ manage_files_pattern($1, zabbix_var_run_t, zabbix_var_run_t)
+')
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 398ad93..f1af65b 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -18,6 +18,50 @@ interface(`zebra_read_config',`
files_search_etc($1)
allow $1 zebra_conf_t:dir list_dir_perms;
- read_files_pattern($1,zebra_conf_t,zebra_conf_t)
- read_lnk_files_pattern($1,zebra_conf_t,zebra_conf_t)
+ read_files_pattern($1, zebra_conf_t, zebra_conf_t)
+ read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an zebra environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the zebra domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the user terminal.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`zebra_admin',`
+ gen_require(`
+ type zebra_t, zebra_tmp_t, zebra_log_t;
+ type zebra_conf_t, zebra_var_run_t;
+ ')
+
+ allow $1 zebra_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, zebra_t, zebra_t)
+
+ files_list_tmp($1)
+ manage_files_pattern($1, zebra_tmp_t, zebra_tmp_t)
+
+ logging_list_logs($1)
+ manage_files_pattern($1, zebra_log_t, zebra_log_t)
+
+ files_list_etc($1)
+ manage_files_pattern($1, zebra_conf_t, zebra_conf_t)
+
+ files_list_pids($1)
+ manage_files_pattern($1, zebra_var_run_t, zebra_var_run_t)
')
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index 53e1235..098d4bd 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -12,11 +12,11 @@ policy_module(zebra,1.6.0)
## </p>
## </desc>
#
-gen_tunable(allow_zebra_write_config,false)
+gen_tunable(allow_zebra_write_config, false)
type zebra_t;
type zebra_exec_t;
-init_daemon_domain(zebra_t,zebra_exec_t)
+init_daemon_domain(zebra_t, zebra_exec_t)
type zebra_conf_t;
files_type(zebra_conf_t)
@@ -48,20 +48,20 @@ allow zebra_t self:rawip_socket create_socket_perms;
allow zebra_t zebra_conf_t:dir list_dir_perms;
read_files_pattern(zebra_t,zebra_conf_t,zebra_conf_t)
-read_lnk_files_pattern(zebra_t,zebra_conf_t,zebra_conf_t)
+read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
allow zebra_t zebra_log_t:dir setattr;
-manage_files_pattern(zebra_t,zebra_log_t,zebra_log_t)
-manage_sock_files_pattern(zebra_t,zebra_log_t,zebra_log_t)
-logging_log_filetrans(zebra_t,zebra_log_t,{ sock_file file dir })
+manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
# /tmp/.bgpd is such a bad idea!
allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(zebra_t,zebra_tmp_t,sock_file)
-manage_files_pattern(zebra_t,zebra_var_run_t,zebra_var_run_t)
-manage_sock_files_pattern(zebra_t,zebra_var_run_t,zebra_var_run_t)
-files_pid_filetrans(zebra_t,zebra_var_run_t, { file sock_file })
+manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file })
kernel_read_system_state(zebra_t)
kernel_read_kernel_sysctls(zebra_t)
@@ -115,8 +115,7 @@ userdom_dontaudit_use_unpriv_user_fds(zebra_t)
userdom_dontaudit_search_sysadm_home_dirs(zebra_t)
tunable_policy(`allow_zebra_write_config',`
- allow zebra_t zebra_conf_t:dir write;
- allow zebra_t zebra_conf_t:file write;
+ manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
')
optional_policy(`
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 1e41c04..58ed41d 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -204,7 +204,7 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr read lock ioctl }')
-define(`mmap_file_perms',`{ getattr read execute }')
+define(`mmap_file_perms',`{ getattr read execute ioctl }')
define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
define(`append_file_perms',`{ getattr append lock ioctl }')
define(`write_file_perms',`{ getattr write append lock ioctl }')
More information about the scm-commits
mailing list