[selinux-policy: 1891/3172] trunk: 3 patches from dan.

Thu Oct 7 21:48:29 UTC 2010

commit ce8a5299a8ea363fecdd59cd55caeffa3657bb75
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Feb 5 17:41:53 2008 +0000

    trunk: 3 patches from dan.

 policy/modules/services/zabbix.if |   37 ++++++++++++++++++++++++++++
 policy/modules/services/zebra.if  |   48 +++++++++++++++++++++++++++++++++++-
 policy/modules/services/zebra.te  |   21 +++++++--------
 policy/support/obj_perm_sets.spt  |    2 +-
 4 files changed, 94 insertions(+), 14 deletions(-)
---

diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index 0bab20b..3360078 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -76,3 +76,40 @@ interface(`zabbix_read_pid_files',`
 	files_search_pids($1)
 	allow $1 zabbix_var_run_t:file read_file_perms;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an zabbix environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the zabbix domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`zabbix_admin',`
+	gen_require(`
+		type zabbix_t, zabbix_log_t, zabbix_var_run_t;
+	')
+
+	allow $1 zabbix_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, zabbix_t, zabbix_t)
+	        
+	logging_list_logs($1)
+	manage_files_pattern($1, zabbix_log_t, zabbix_log_t)
+
+	files_list_pids($1)
+	manage_files_pattern($1, zabbix_var_run_t, zabbix_var_run_t)
+')
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 398ad93..f1af65b 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -18,6 +18,50 @@ interface(`zebra_read_config',`
 
 	files_search_etc($1)
 	allow $1 zebra_conf_t:dir list_dir_perms;
-	read_files_pattern($1,zebra_conf_t,zebra_conf_t)
-	read_lnk_files_pattern($1,zebra_conf_t,zebra_conf_t)
+	read_files_pattern($1, zebra_conf_t, zebra_conf_t)
+	read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an zebra environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the zebra domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`zebra_admin',`
+	gen_require(`
+		type zebra_t, zebra_tmp_t, zebra_log_t;
+		type zebra_conf_t, zebra_var_run_t;
+	')
+
+	allow $1 zebra_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, zebra_t, zebra_t)
+	        
+	files_list_tmp($1)
+	manage_files_pattern($1, zebra_tmp_t, zebra_tmp_t)
+
+	logging_list_logs($1)
+	manage_files_pattern($1, zebra_log_t, zebra_log_t)
+
+	files_list_etc($1)
+	manage_files_pattern($1, zebra_conf_t, zebra_conf_t)
+
+	files_list_pids($1)
+	manage_files_pattern($1, zebra_var_run_t, zebra_var_run_t)
 ')
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index 53e1235..098d4bd 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -12,11 +12,11 @@ policy_module(zebra,1.6.0)
 ## </p>
 ## </desc>
 #
-gen_tunable(allow_zebra_write_config,false)
+gen_tunable(allow_zebra_write_config, false)
 
 type zebra_t;
 type zebra_exec_t;
-init_daemon_domain(zebra_t,zebra_exec_t)
+init_daemon_domain(zebra_t, zebra_exec_t)
 
 type zebra_conf_t;
 files_type(zebra_conf_t)
@@ -48,20 +48,20 @@ allow zebra_t self:rawip_socket create_socket_perms;
 
 allow zebra_t zebra_conf_t:dir list_dir_perms;
 read_files_pattern(zebra_t,zebra_conf_t,zebra_conf_t)
-read_lnk_files_pattern(zebra_t,zebra_conf_t,zebra_conf_t)
+read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
 
 allow zebra_t zebra_log_t:dir setattr;
-manage_files_pattern(zebra_t,zebra_log_t,zebra_log_t)
-manage_sock_files_pattern(zebra_t,zebra_log_t,zebra_log_t)
-logging_log_filetrans(zebra_t,zebra_log_t,{ sock_file file dir })
+manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
 
 # /tmp/.bgpd is such a bad idea!
 allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
 files_tmp_filetrans(zebra_t,zebra_tmp_t,sock_file)
 
-manage_files_pattern(zebra_t,zebra_var_run_t,zebra_var_run_t)
-manage_sock_files_pattern(zebra_t,zebra_var_run_t,zebra_var_run_t)
-files_pid_filetrans(zebra_t,zebra_var_run_t, { file sock_file })
+manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file })
 
 kernel_read_system_state(zebra_t)
 kernel_read_kernel_sysctls(zebra_t)
@@ -115,8 +115,7 @@ userdom_dontaudit_use_unpriv_user_fds(zebra_t)
 userdom_dontaudit_search_sysadm_home_dirs(zebra_t)
 
 tunable_policy(`allow_zebra_write_config',`
-	allow zebra_t zebra_conf_t:dir write;
-	allow zebra_t zebra_conf_t:file write;
+	manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
 ')
 
 optional_policy(`
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 1e41c04..58ed41d 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -204,7 +204,7 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
 define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
 define(`read_file_perms',`{ getattr read lock ioctl }')
-define(`mmap_file_perms',`{ getattr read execute }')
+define(`mmap_file_perms',`{ getattr read execute ioctl }')
 define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
 define(`append_file_perms',`{ getattr append lock ioctl }')
 define(`write_file_perms',`{ getattr write append lock ioctl }')
