* [refpolicy] services_snort.patch
@ 2008-09-24 19:59 Daniel J Walsh
2008-10-09 18:09 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2008-09-24 19:59 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_snort.patch
New path for snort
snort now uses /var/run/snort
Add initrc script support
allow admin to start/stop service
Admin needs admin_pattern on all file types
snort uses the netlinkg_firewall_socket
connects to the prelude port
reads random devices
reads utmp file
resolves hostnames
playes with prelude
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjanCcACgkQrlYvE4MpobMP3QCgo2zQdPjF9tnFxRDY5UDi+GrM
YlYAniNBcZ8xRMFmtWcLHUqskeFKN8ng
=W9eu
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snort.patch
2008-09-24 19:59 [refpolicy] services_snort.patch Daniel J Walsh
@ 2008-10-09 18:09 ` Christopher J. PeBenito
2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh
` (3 more replies)
0 siblings, 4 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-10-09 18:09 UTC (permalink / raw)
To: refpolicy
On Wed, 2008-09-24 at 15:59 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_snort.patch
>
> New path for snort
>
> snort now uses /var/run/snort
>
> Add initrc script support
>
> allow admin to start/stop service
>
> Admin needs admin_pattern on all file types
>
> snort uses the netlinkg_firewall_socket
>
> connects to the prelude port
>
> reads random devices
>
> reads utmp file
>
> resolves hostnames
>
> playes with prelude
Merged, except for the prelude bits. It also sounds like that DNS
resolve should go in the prelude optional too.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_cvs.patch
2008-10-09 18:09 ` Christopher J. PeBenito
@ 2008-10-10 20:30 ` Daniel J Walsh
2008-10-13 15:10 ` Christopher J. PeBenito
2008-10-10 20:32 ` [refpolicy] services_cyrus.patch Daniel J Walsh
` (2 subsequent siblings)
3 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2008-10-10 20:30 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Add httpd cgi policy and kerberos_keytab support
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjvu4IACgkQrlYvE4MpobOG+ACdH2qVNjMHNwEutoITf2k5XcRH
1AAAoIebE+cibauYgEtQfxgtpWkvAjNW
=J70B
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_cvs.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/1322014c/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_cvs.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/1322014c/attachment.obj
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_cyrus.patch
2008-10-09 18:09 ` Christopher J. PeBenito
2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh
@ 2008-10-10 20:32 ` Daniel J Walsh
2008-10-13 15:10 ` Christopher J. PeBenito
2008-10-10 20:40 ` [refpolicy] services_snort.patch Daniel J Walsh
2008-10-10 20:45 ` [refpolicy] services_munin.patch Daniel J Walsh
3 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2008-10-10 20:32 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Add _admin support and kerberos_keytab.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjvu98ACgkQrlYvE4MpobM+OwCgqyblyjx2mD9S9ed+bpxnN7KN
uwQAn2pmMam5onEoj8c9bsB6+RSg4Jfk
=RXAW
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_cyrus.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/447a5dfc/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_cyrus.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/447a5dfc/attachment.obj
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snort.patch
2008-10-09 18:09 ` Christopher J. PeBenito
2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh
2008-10-10 20:32 ` [refpolicy] services_cyrus.patch Daniel J Walsh
@ 2008-10-10 20:40 ` Daniel J Walsh
2008-10-10 20:45 ` [refpolicy] services_munin.patch Daniel J Walsh
3 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2008-10-10 20:40 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Complete kerberos patch and several small domains that use kerberos keytabs.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjvvaEACgkQrlYvE4MpobMi9QCglHrjtdZ6lWuBUnxMztGQ9NuI
fvEAoM5zM+khcn65LXKylp/YubfJXBeM
=GGO7
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_kerberos.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/a66c95c6/attachment-0001.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_kerberos.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/a66c95c6/attachment-0001.obj
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_munin.patch
2008-10-09 18:09 ` Christopher J. PeBenito
` (2 preceding siblings ...)
2008-10-10 20:40 ` [refpolicy] services_snort.patch Daniel J Walsh
@ 2008-10-10 20:45 ` Daniel J Walsh
3 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2008-10-10 20:45 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Add admin functions and initrc handling
needs chown setuid dac_override and sys_rawhio
Talks to itself over a fifo file
Manages its own logfile and directories.
Reads all sysctls and network state
Communicates with http and munin ports
Runs a ps command
calls getpw* functions so needs auth_use_nsswitch
Reads fonts
Executes ping and ifconfig
Starts fstools
Communicates with mysql
sends mail
Add apache scripts policy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjvvuUACgkQrlYvE4MpobPetACg2mUmok882mqwAOZP7bX6/sX6
FCMAnRDO9ZINe88BuAIOMzZRCDGwVC0X
=qTLK
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_munin.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/438a34c8/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_munin.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/438a34c8/attachment.obj
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_cyrus.patch
2008-10-10 20:32 ` [refpolicy] services_cyrus.patch Daniel J Walsh
@ 2008-10-13 15:10 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-10-13 15:10 UTC (permalink / raw)
To: refpolicy
On Fri, 2008-10-10 at 16:32 -0400, Daniel J Walsh wrote:
>
> Add _admin support and kerberos_keytab.
Merged.
>
>
>
>
>
> plain text
> document
> attachment
> (services_cyrus.patch)
>
> --- nsaserefpolicy/policy/modules/services/cyrus.fc 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.fc 2008-10-10 16:08:15.000000000 -0400
> @@ -1,3 +1,4 @@
> +/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
>
> /usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
>
> --- nsaserefpolicy/policy/modules/services/cyrus.if 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.if 2008-10-10 16:08:15.000000000 -0400
> @@ -39,3 +39,47 @@
> files_search_var_lib($1)
> stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
> ')
> +
> +########################################
> +## <summary>
> +## All of the rules required to administrate
> +## an cyrus environment
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## The role to be allowed to manage the cyrus domain.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`cyrus_admin',`
> + gen_require(`
> + type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
> + type cyrus_var_run_t;
> + type cyrus_initrc_exec_t;
> + ')
> +
> + allow $1 cyrus_t:process { ptrace signal_perms };
> + ps_process_pattern($1, cyrus_t)
> +
> + init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
> + domain_system_change_exemption($1)
> + role_transition $2 cyrus_initrc_exec_t system_r;
> + allow $2 system_r;
> +
> + files_list_tmp($1)
> + admin_pattern($1, cyrus_tmp_t)
> +
> + files_list_var_lib($1)
> + admin_pattern($1, cyrus_var_lib_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, cyrus_var_run_t)
> +')
> +
> +
> --- nsaserefpolicy/policy/modules/services/cyrus.te 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.te 2008-10-10 16:08:15.000000000 -0400
> @@ -10,6 +10,9 @@
> type cyrus_exec_t;
> init_daemon_domain(cyrus_t, cyrus_exec_t)
>
> +type cyrus_initrc_exec_t;
> +init_script_file(cyrus_initrc_exec_t)
> +
> type cyrus_tmp_t;
> files_tmp_file(cyrus_tmp_t)
>
> @@ -120,7 +123,7 @@
> ')
>
> optional_policy(`
> - kerberos_use(cyrus_t)
> + kerberos_keytab_template(cyrus, cyrus_t)
> ')
>
> optional_policy(`
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_cvs.patch
2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh
@ 2008-10-13 15:10 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-10-13 15:10 UTC (permalink / raw)
To: refpolicy
On Fri, 2008-10-10 at 16:30 -0400, Daniel J Walsh wrote:
> Add httpd cgi policy and kerberos_keytab support
Merged.
>
>
>
>
>
> plain text
> document
> attachment
> (services_cvs.patch)
>
> --- nsaserefpolicy/policy/modules/services/cvs.fc 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.fc 2008-10-10 16:08:15.000000000 -0400
> @@ -5,3 +5,6 @@
>
> /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
>
> +#CVSWeb file context
> +/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
> +/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
> --- nsaserefpolicy/policy/modules/services/cvs.if 2008-09-24 09:07:28.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.if 2008-10-10 16:08:15.000000000 -0400
> @@ -69,4 +69,13 @@
> domain_system_change_exemption($1)
> role_transition $2 cvs_initrc_exec_t system_r;
> allow $2 system_r;
> +
> + files_list_tmp($1)
> + admin_pattern($1, cvs_tmp_t)
> +
> + admin_pattern($1, cvs_data_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, cvs_var_run_t)
> ')
> +
> --- nsaserefpolicy/policy/modules/services/cvs.te 2008-09-24 09:07:28.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.te 2008-10-10 16:08:15.000000000 -0400
> @@ -99,7 +99,17 @@
> ')
>
> optional_policy(`
> - kerberos_read_keytab(cvs_t)
> + kerberos_keytab_template(cvs, cvs_t)
> kerberos_read_config(cvs_t)
> kerberos_dontaudit_write_config(cvs_t)
> ')
> +
> +########################################
> +# CVSWeb policy
> +
> +apache_content_template(cvs)
> +
> +read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
> +manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
> +manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
> +files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snort.patch
@ 2009-03-05 17:05 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2009-03-05 17:05 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snort.patch
snort uses prelude port
reads kernel sysctl
Prelude fixes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmwBj8ACgkQrlYvE4MpobP29gCeMuz61PYacDRniei52F4KIcHq
kyoAoK/pzq7EH58fK1dqQaGmV0sR1b5C
=QEvj
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snort.patch
@ 2009-06-09 1:09 Daniel J Walsh
2009-07-27 20:04 ` Chris PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2009-06-09 1:09 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snort.patch
Interface with prelude.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snort.patch
2009-06-09 1:09 Daniel J Walsh
@ 2009-07-27 20:04 ` Chris PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Chris PeBenito @ 2009-07-27 20:04 UTC (permalink / raw)
To: refpolicy
On Mon, 2009-06-08 at 21:09 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_snort.patch
>
> Interface with prelude.
Merged.
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snort.patch
@ 2010-02-23 20:56 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2010-02-23 20:56 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_snort.patch
snort creates generic sockets
We can dontaudit read of system state
rearrage kernel calls and allow snort to request the kernel load a module.
uses usbmod and genrice usb devices.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snort.patch
@ 2010-08-26 22:21 Daniel J Walsh
2010-09-15 13:24 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2010-08-26 22:21 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_snort.patch
Reads kernel network state
uses usbmon device
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx26QMACgkQrlYvE4MpobNWAgCg6FKvaYKBkQ6p4J2HC+pxpKsH
JSgAoM4S1wdDxDwzw0S68Ni0jqXrmpQ8
=08UV
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snort.patch
2010-08-26 22:21 Daniel J Walsh
@ 2010-09-15 13:24 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2010-09-15 13:24 UTC (permalink / raw)
To: refpolicy
On 08/26/10 18:21, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_snort.patch
>
> Reads kernel network state
>
> uses usbmon device
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2010-09-15 13:24 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-09-24 19:59 [refpolicy] services_snort.patch Daniel J Walsh
2008-10-09 18:09 ` Christopher J. PeBenito
2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh
2008-10-13 15:10 ` Christopher J. PeBenito
2008-10-10 20:32 ` [refpolicy] services_cyrus.patch Daniel J Walsh
2008-10-13 15:10 ` Christopher J. PeBenito
2008-10-10 20:40 ` [refpolicy] services_snort.patch Daniel J Walsh
2008-10-10 20:45 ` [refpolicy] services_munin.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2009-03-05 17:05 [refpolicy] services_snort.patch Daniel J Walsh
2009-06-09 1:09 Daniel J Walsh
2009-07-27 20:04 ` Chris PeBenito
2010-02-23 20:56 Daniel J Walsh
2010-08-26 22:21 Daniel J Walsh
2010-09-15 13:24 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.