From: Daniel J Walsh <dwalsh@redhat.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>,
SE Linux <selinux@tycho.nsa.gov>
Subject: Current Fedora Prelude patch
Date: Wed, 11 Jun 2008 14:34:49 -0400 [thread overview]
Message-ID: <48501AC9.60901@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 0 bytes --]
[-- Attachment #2: services_prelude.patch --]
[-- Type: text/plain, Size: 4533 bytes --]
Subject: [PATCH] refpolicy: services_prelude changes
--text follows this line--
--- nsaserefpolicy/policy/modules/services/prelude.fc 2008-06-11 08:15:44.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/prelude.fc 2008-06-11 14:30:20.000000000 -0400
@@ -9,3 +9,4 @@
/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
+/etc/rc.d/init.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0)
--- nsaserefpolicy/policy/modules/services/prelude.if 2008-06-11 08:15:44.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/prelude.if 2008-06-11 14:32:45.000000000 -0400
@@ -42,7 +42,7 @@
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed acccess.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -56,6 +56,24 @@
########################################
## <summary>
+## Execute prelude server in the prelude domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`prelude_script_domtrans',`
+ gen_require(`
+ type prelude_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,prelude_script_exec_t)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an prelude environment
## </summary>
@@ -64,6 +82,16 @@
## Domain allowed access.
## </summary>
## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the user terminal.
+## </summary>
+## </param>
## <rolecap/>
#
interface(`prelude_admin',`
@@ -71,6 +99,7 @@
type prelude_t, prelude_spool_t;
type prelude_var_run_t, prelude_var_lib_t;
type prelude_audisp_t, prelude_audisp_var_run_t;
+ type prelude_script_exec_t;
')
allow $1 prelude_t:process { ptrace signal_perms };
@@ -79,11 +108,14 @@
allow $1 prelude_audisp_t:process { ptrace signal_perms };
ps_process_pattern($1, prelude_audisp_t)
- manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
-
- manage_files_pattern($1, prelude_var_lib_t, prelude_var_lib_t)
-
- manage_files_pattern($1, prelude_var_run_t, prelude_var_run_t)
-
- manage_files_pattern($1, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
+ # Allow prelude_t to restart the apache service
+ prelude_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 prelude_script_exec_t system_r;
+ allow $2 system_r;
+
+ manage_all_pattern($1, prelude_spool_t)
+ manage_all_pattern($1, prelude_var_lib_t)
+ manage_all_pattern($1, prelude_var_run_t)
+ manage_all_pattern($1, prelude_audisp_var_run_t)
')
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-06-11 08:15:44.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-06-11 13:48:53.000000000 -0400
@@ -19,12 +19,18 @@
type prelude_var_lib_t;
files_type(prelude_var_lib_t)
+type prelude_script_exec_t;
+init_script_type(prelude_script_exec_t)
+
type prelude_audisp_t;
type prelude_audisp_exec_t;
init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t)
+typealias prelude_audisp_t alias audisp_prelude_t;
+typealias prelude_audisp_exec_t alias audisp_prelude_exec_t;
type prelude_audisp_var_run_t;
files_pid_file(prelude_audisp_var_run_t)
+typealias prelude_audisp_var_run_t alias audisp_prelude_var_run_t;
########################################
#
@@ -56,6 +62,8 @@
corenet_tcp_sendrecv_all_if(prelude_t)
corenet_tcp_sendrecv_all_nodes(prelude_t)
corenet_tcp_bind_all_nodes(prelude_t)
+corenet_tcp_bind_prelude_port(prelude_t)
+corenet_tcp_connect_prelude_port(prelude_t)
dev_read_rand(prelude_t)
dev_read_urand(prelude_t)
@@ -66,6 +74,8 @@
files_read_etc_files(prelude_t)
files_read_usr_files(prelude_t)
+fs_rw_anon_inodefs_files(prelude_t)
+
auth_use_nsswitch(prelude_t)
libs_use_ld_so(prelude_t)
@@ -110,6 +120,7 @@
corenet_tcp_sendrecv_all_if(prelude_audisp_t)
corenet_tcp_sendrecv_all_nodes(prelude_audisp_t)
corenet_tcp_bind_all_nodes(prelude_audisp_t)
+corenet_tcp_connect_prelude_port(prelude_audisp_t)
dev_read_rand(prelude_audisp_t)
dev_read_urand(prelude_audisp_t)
@@ -126,6 +137,8 @@
miscfiles_read_localization(prelude_audisp_t)
+logging_audisp_system_domain(prelude_audisp_t, prelude_audisp_exec_t)
+
########################################
#
# prewikka_cgi Declarations
[-- Attachment #3: services_prelude.patch.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]
reply other threads:[~2008-06-11 18:36 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48501AC9.60901@redhat.com \
--to=dwalsh@redhat.com \
--cc=cpebenito@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.