[selinux-policy: 2275/3172] add abrt from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:22:02 UTC 2010 

commit e3a90e358afbc7dd9cf9687622396395848ef734
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Sep 14 09:22:24 2009 -0400

    add abrt from dan.

 Changelog                       |    1 +
 policy/modules/services/abrt.fc |   11 ++++
 policy/modules/services/abrt.if |  125 +++++++++++++++++++++++++++++++++++++++
 policy/modules/services/abrt.te |  117 ++++++++++++++++++++++++++++++++++++
 4 files changed, 254 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index 9432eb1..f8da104 100644
--- a/Changelog
+++ b/Changelog
@@ -9,6 +9,7 @@
 - Handle unix_chkpwd usage by useradd and groupadd.
 - Add missing compatibility aliases for xdm_xserver*_t types.
 - Added modules:
+	abrt (Dan Walsh)
 	gitosis (Miroslav Grepl)
 	hddtemp (Dan Walsh)
 	kdump (Dan Walsh)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
new file mode 100644
index 0000000..d2b692d
--- /dev/null
+++ b/policy/modules/services/abrt.fc
@@ -0,0 +1,11 @@
+/etc/abrt(/.*)?			 gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+
+/usr/sbin/abrt			--	gen_context(system_u:object_r:abrt_exec_t,s0)
+
+/var/cache/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
+/var/log/abrt-logger		--	gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+/var/run/abrt\.pid		--	gen_context(system_u:object_r:abrt_var_run_t,s0)	
+/var/run/abrt\.lock		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
new file mode 100644
index 0000000..e9ed246
--- /dev/null
+++ b/policy/modules/services/abrt.if
@@ -0,0 +1,125 @@
+## <summary>ABRT - automated bug-reporting tool</summary>
+
+######################################
+## <summary>
+##	Execute abrt in the abrt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`abrt_domtrans',`
+	gen_require(`
+		type abrt_t, abrt_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, abrt_exec_t, abrt_t)
+')
+
+######################################
+## <summary>
+##	Execute abrt 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`abrt_exec',`
+	gen_require(`
+		type abrt_exec_t;
+	')
+
+	can_exec($1, abrt_exec_t)
+')
+
+####################################
+## <summary>
+##	Read abrt configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_read_config',`
+	gen_require(`
+		type abrt_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, abrt_etc_t, abrt_etc_t)
+')
+
+######################################
+## <summary>
+##	Read abrt logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_read_log',`
+	gen_require(`
+		type abrt_var_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
+')
+
+#####################################
+## <summary>
+##	All of the rules required to administrate 
+##	an abrt environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the abrt domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`abrt_admin',`
+	gen_require(`
+		type abrt_t, abrt_etc_t; 
+		type abrt_var_cache_t, abrt_var_log_t;
+		type abrt_var_run_t, abrt_tmp_t;
+		type abrt_initrc_exec_t;
+	')
+
+	allow $1 abrt_t:process { ptrace signal_perms };
+	ps_process_pattern($1, abrt_t)
+
+	init_labeled_script_domtrans($1, abrt_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 abrt_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, abrt_etc_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, abrt_var_log_t)	
+
+	files_search_var($1)
+	admin_pattern($1, abrt_var_cache_t)
+
+	files_search_pids($1)
+	admin_pattern($1, abrt_var_run_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, abrt_tmp_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
new file mode 100644
index 0000000..559ce2d
--- /dev/null
+++ b/policy/modules/services/abrt.te
@@ -0,0 +1,117 @@
+
+policy_module(abrt, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type abrt_t;
+type abrt_exec_t;
+init_daemon_domain(abrt_t, abrt_exec_t)
+
+type abrt_initrc_exec_t;
+init_script_file(abrt_initrc_exec_t)
+
+# etc files
+type abrt_etc_t;
+files_config_file(abrt_etc_t)
+
+# log files
+type abrt_var_log_t;
+logging_log_file(abrt_var_log_t)
+
+# tmp files
+type abrt_tmp_t;
+files_tmp_file(abrt_tmp_t)
+
+# var/cache files
+type abrt_var_cache_t;
+files_type(abrt_var_cache_t)
+
+# pid files
+type abrt_var_run_t;
+files_pid_file(abrt_var_run_t)
+
+########################################
+#
+# abrt local policy
+#
+
+allow abrt_t self:capability { setuid setgid sys_nice dac_override };
+allow abrt_t self:process { signal signull setsched getsched };
+
+allow abrt_t self:fifo_file rw_fifo_file_perms;
+allow abrt_t self:tcp_socket create_stream_socket_perms;
+allow abrt_t self:udp_socket create_socket_perms;
+allow abrt_t self:unix_dgram_socket create_socket_perms;
+allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
+
+# abrt etc files
+rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+
+# log file
+manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
+logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+
+# abrt tmp files 
+manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+
+# abrt var/cache files
+manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
+
+# abrt pid files
+manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
+
+kernel_read_ring_buffer(abrt_t)
+kernel_read_system_state(abrt_t)
+kernel_rw_kernel_sysctl(abrt_t)
+
+corecmd_exec_bin(abrt_t)
+corecmd_exec_shell(abrt_t)
+
+corenet_tcp_connect_http_port(abrt_t)
+
+dev_read_urand(abrt_t)
+
+files_getattr_all_files(abrt_t)
+files_read_etc_files(abrt_t)
+files_read_usr_files(abrt_t)
+
+fs_list_inotifyfs(abrt_t)
+fs_getattr_all_fs(abrt_t)
+fs_getattr_all_dirs(abrt_t)
+
+sysnet_read_config(abrt_t)
+
+logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
+
+miscfiles_read_certs(abrt_t)
+miscfiles_read_localization(abrt_t)
+
+# to run bugzilla plugin
+# read ~/.abrt/Bugzilla.conf
+userdom_read_user_home_content_files(abrt_t)
+
+optional_policy(`
+	dbus_connect_system_bus(abrt_t)
+	dbus_system_bus_client(abrt_t)
+')
+
+# to install debuginfo packages 
+optional_policy(`
+	rpm_manage_db(abrt_t)
+	rpm_domtrans(abrt_t)
+')
+
+# to run mailx plugin
+optional_policy(`
+	sendmail_domtrans(abrt_t)
+')

More information about the scm-commits mailing list