[selinux-policy: 2904/3172] - Add passenger policy
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:18:33 UTC 2010
commit d7de04f8d4442d9d019d11f93b1264f443fab79c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Sep 13 11:49:37 2010 +0200
- Add passenger policy
policy/modules/apps/passenger.fc | 6 +++
policy/modules/apps/passenger.if | 68 +++++++++++++++++++++++++++++++++++++
policy/modules/apps/passenger.te | 67 ++++++++++++++++++++++++++++++++++++
policy/modules/services/apache.te | 6 +++
4 files changed, 147 insertions(+), 0 deletions(-)
---
diff --git a/policy/modules/apps/passenger.fc b/policy/modules/apps/passenger.fc
new file mode 100644
index 0000000..e75adfa
--- /dev/null
+++ b/policy/modules/apps/passenger.fc
@@ -0,0 +1,6 @@
+
+/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
+/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
+
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_state_t,s0)
diff --git a/policy/modules/apps/passenger.if b/policy/modules/apps/passenger.if
new file mode 100644
index 0000000..e738452
--- /dev/null
+++ b/policy/modules/apps/passenger.if
@@ -0,0 +1,68 @@
+## <summary>Passenger policy</summary>
+
+######################################
+## <summary>
+## Execute passenger in the passenger domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`passenger_domtrans',`
+ gen_require(`
+ type passenger_t;
+ ')
+
+ allow $1 self:capability { fowner fsetid };
+
+ allow $1 passenger_t:process signal;
+
+ domtrans_pattern($1, passenger_exec_t, passenger_t)
+ allow $1 passenger_t:unix_stream_socket { read write shutdown };
+ allow passenger_t $1:unix_stream_socket { read write };
+')
+
+######################################
+## <summary>
+## Manage passenger state content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`passenger_manage_state_content',`
+ gen_require(`
+ type passenger_state_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, passenger_state_t, passenger_state_t)
+ manage_files_pattern($1, passenger_state_t, passenger_state_t)
+ manage_fifo_files_pattern($1, passenger_state_t, passenger_state_t)
+ manage_sock_files_pattern($1, passenger_state_t, passenger_state_t)
+')
+
+########################################
+## <summary>
+## Read passenger lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`passenger_read_lib_files',`
+ gen_require(`
+ type passenger_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+')
+
diff --git a/policy/modules/apps/passenger.te b/policy/modules/apps/passenger.te
new file mode 100644
index 0000000..845d90f
--- /dev/null
+++ b/policy/modules/apps/passenger.te
@@ -0,0 +1,67 @@
+
+policy_module(passanger,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type passenger_t;
+type passenger_exec_t;
+domain_type(passenger_t)
+domain_entry_file(passenger_t, passenger_exec_t)
+role system_r types passenger_t;
+
+type passenger_tmp_t;
+files_tmp_file(passenger_tmp_t)
+
+type passenger_var_lib_t;
+files_type(passenger_var_lib_t)
+
+type passenger_state_t;
+files_pid_file(passenger_state_t)
+
+permissive passenger_t;
+
+########################################
+#
+# passanger local policy
+#
+
+allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
+allow passenger_t self:process signal;
+
+allow passenger_t self:fifo_file rw_fifo_file_perms;
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_dirs_pattern(passenger_t, passenger_state_t, passenger_state_t)
+manage_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
+manage_fifo_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
+manage_sock_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
+
+files_search_var_lib(passenger_t)
+manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+
+kernel_read_system_state(passenger_t)
+kernel_read_kernel_sysctls(passenger_t)
+
+corenet_tcp_connect_http_port(passenger_t)
+
+corecmd_exec_bin(passenger_t)
+corecmd_exec_shell(passenger_t)
+
+dev_read_urand(passenger_t)
+
+files_read_etc_files(passenger_t)
+
+auth_use_nsswitch(passenger_t)
+
+miscfiles_read_localization(passenger_t)
+
+userdom_dontaudit_use_user_terminals(passenger_t)
+
+optional_policy(`
+ apache_append_log(passenger_t)
+ apache_read_sys_content(passenger_t)
+')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 7a8df8a..317e165 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -723,6 +723,12 @@ optional_policy(`
')
optional_policy(`
+ passenger_domtrans(httpd_t)
+ passenger_manage_state_content(httpd_t)
+ passenger_read_lib_files(httpd_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(httpd_t)
')
More information about the scm-commits
mailing list