* [refpolicy] services_snort.patch @ 2008-09-24 19:59 Daniel J Walsh 2008-10-09 18:09 ` Christopher J. PeBenito 0 siblings, 1 reply; 18+ messages in thread From: Daniel J Walsh @ 2008-09-24 19:59 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_snort.patch New path for snort snort now uses /var/run/snort Add initrc script support allow admin to start/stop service Admin needs admin_pattern on all file types snort uses the netlinkg_firewall_socket connects to the prelude port reads random devices reads utmp file resolves hostnames playes with prelude -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjanCcACgkQrlYvE4MpobMP3QCgo2zQdPjF9tnFxRDY5UDi+GrM YlYAniNBcZ8xRMFmtWcLHUqskeFKN8ng =W9eu -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_snort.patch 2008-09-24 19:59 [refpolicy] services_snort.patch Daniel J Walsh @ 2008-10-09 18:09 ` Christopher J. PeBenito 2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh ` (3 more replies) 0 siblings, 4 replies; 18+ messages in thread From: Christopher J. PeBenito @ 2008-10-09 18:09 UTC (permalink / raw) To: refpolicy On Wed, 2008-09-24 at 15:59 -0400, Daniel J Walsh wrote: > http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_snort.patch > > New path for snort > > snort now uses /var/run/snort > > Add initrc script support > > allow admin to start/stop service > > Admin needs admin_pattern on all file types > > snort uses the netlinkg_firewall_socket > > connects to the prelude port > > reads random devices > > reads utmp file > > resolves hostnames > > playes with prelude Merged, except for the prelude bits. It also sounds like that DNS resolve should go in the prelude optional too. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_cvs.patch 2008-10-09 18:09 ` Christopher J. PeBenito @ 2008-10-10 20:30 ` Daniel J Walsh 2008-10-13 15:10 ` Christopher J. PeBenito 2008-10-10 20:32 ` [refpolicy] services_cyrus.patch Daniel J Walsh ` (2 subsequent siblings) 3 siblings, 1 reply; 18+ messages in thread From: Daniel J Walsh @ 2008-10-10 20:30 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Add httpd cgi policy and kerberos_keytab support -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjvu4IACgkQrlYvE4MpobOG+ACdH2qVNjMHNwEutoITf2k5XcRH 1AAAoIebE+cibauYgEtQfxgtpWkvAjNW =J70B -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: services_cvs.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/1322014c/attachment.pl -------------- next part -------------- A non-text attachment was scrubbed... Name: services_cvs.patch.sig Type: application/octet-stream Size: 72 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/1322014c/attachment.obj ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_cvs.patch 2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh @ 2008-10-13 15:10 ` Christopher J. PeBenito 0 siblings, 0 replies; 18+ messages in thread From: Christopher J. PeBenito @ 2008-10-13 15:10 UTC (permalink / raw) To: refpolicy On Fri, 2008-10-10 at 16:30 -0400, Daniel J Walsh wrote: > Add httpd cgi policy and kerberos_keytab support Merged. > > > > > > plain text > document > attachment > (services_cvs.patch) > > --- nsaserefpolicy/policy/modules/services/cvs.fc 2008-08-07 11:15:11.000000000 -0400 > +++ serefpolicy-3.5.12/policy/modules/services/cvs.fc 2008-10-10 16:08:15.000000000 -0400 > @@ -5,3 +5,6 @@ > > /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) > > +#CVSWeb file context > +/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) > +/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) > --- nsaserefpolicy/policy/modules/services/cvs.if 2008-09-24 09:07:28.000000000 -0400 > +++ serefpolicy-3.5.12/policy/modules/services/cvs.if 2008-10-10 16:08:15.000000000 -0400 > @@ -69,4 +69,13 @@ > domain_system_change_exemption($1) > role_transition $2 cvs_initrc_exec_t system_r; > allow $2 system_r; > + > + files_list_tmp($1) > + admin_pattern($1, cvs_tmp_t) > + > + admin_pattern($1, cvs_data_t) > + > + files_list_pids($1) > + admin_pattern($1, cvs_var_run_t) > ') > + > --- nsaserefpolicy/policy/modules/services/cvs.te 2008-09-24 09:07:28.000000000 -0400 > +++ serefpolicy-3.5.12/policy/modules/services/cvs.te 2008-10-10 16:08:15.000000000 -0400 > @@ -99,7 +99,17 @@ > ') > > optional_policy(` > - kerberos_read_keytab(cvs_t) > + kerberos_keytab_template(cvs, cvs_t) > kerberos_read_config(cvs_t) > kerberos_dontaudit_write_config(cvs_t) > ') > + > +######################################## > +# CVSWeb policy > + > +apache_content_template(cvs) > + > +read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) > +manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) > +manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) > +files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_cyrus.patch 2008-10-09 18:09 ` Christopher J. PeBenito 2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh @ 2008-10-10 20:32 ` Daniel J Walsh 2008-10-13 15:10 ` Christopher J. PeBenito 2008-10-10 20:40 ` [refpolicy] services_snort.patch Daniel J Walsh 2008-10-10 20:45 ` [refpolicy] services_munin.patch Daniel J Walsh 3 siblings, 1 reply; 18+ messages in thread From: Daniel J Walsh @ 2008-10-10 20:32 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Add _admin support and kerberos_keytab. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjvu98ACgkQrlYvE4MpobM+OwCgqyblyjx2mD9S9ed+bpxnN7KN uwQAn2pmMam5onEoj8c9bsB6+RSg4Jfk =RXAW -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: services_cyrus.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/447a5dfc/attachment.pl -------------- next part -------------- A non-text attachment was scrubbed... Name: services_cyrus.patch.sig Type: application/octet-stream Size: 72 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/447a5dfc/attachment.obj ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_cyrus.patch 2008-10-10 20:32 ` [refpolicy] services_cyrus.patch Daniel J Walsh @ 2008-10-13 15:10 ` Christopher J. PeBenito 0 siblings, 0 replies; 18+ messages in thread From: Christopher J. PeBenito @ 2008-10-13 15:10 UTC (permalink / raw) To: refpolicy On Fri, 2008-10-10 at 16:32 -0400, Daniel J Walsh wrote: > > Add _admin support and kerberos_keytab. Merged. > > > > > > plain text > document > attachment > (services_cyrus.patch) > > --- nsaserefpolicy/policy/modules/services/cyrus.fc 2008-08-07 11:15:11.000000000 -0400 > +++ serefpolicy-3.5.12/policy/modules/services/cyrus.fc 2008-10-10 16:08:15.000000000 -0400 > @@ -1,3 +1,4 @@ > +/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0) > > /usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) > > --- nsaserefpolicy/policy/modules/services/cyrus.if 2008-08-07 11:15:11.000000000 -0400 > +++ serefpolicy-3.5.12/policy/modules/services/cyrus.if 2008-10-10 16:08:15.000000000 -0400 > @@ -39,3 +39,47 @@ > files_search_var_lib($1) > stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t) > ') > + > +######################################## > +## <summary> > +## All of the rules required to administrate > +## an cyrus environment > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +## <param name="role"> > +## <summary> > +## The role to be allowed to manage the cyrus domain. > +## </summary> > +## </param> > +## <rolecap/> > +# > +interface(`cyrus_admin',` > + gen_require(` > + type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t; > + type cyrus_var_run_t; > + type cyrus_initrc_exec_t; > + ') > + > + allow $1 cyrus_t:process { ptrace signal_perms }; > + ps_process_pattern($1, cyrus_t) > + > + init_labeled_script_domtrans($1, cyrus_initrc_exec_t) > + domain_system_change_exemption($1) > + role_transition $2 cyrus_initrc_exec_t system_r; > + allow $2 system_r; > + > + files_list_tmp($1) > + admin_pattern($1, cyrus_tmp_t) > + > + files_list_var_lib($1) > + admin_pattern($1, cyrus_var_lib_t) > + > + files_list_pids($1) > + admin_pattern($1, cyrus_var_run_t) > +') > + > + > --- nsaserefpolicy/policy/modules/services/cyrus.te 2008-08-07 11:15:11.000000000 -0400 > +++ serefpolicy-3.5.12/policy/modules/services/cyrus.te 2008-10-10 16:08:15.000000000 -0400 > @@ -10,6 +10,9 @@ > type cyrus_exec_t; > init_daemon_domain(cyrus_t, cyrus_exec_t) > > +type cyrus_initrc_exec_t; > +init_script_file(cyrus_initrc_exec_t) > + > type cyrus_tmp_t; > files_tmp_file(cyrus_tmp_t) > > @@ -120,7 +123,7 @@ > ') > > optional_policy(` > - kerberos_use(cyrus_t) > + kerberos_keytab_template(cyrus, cyrus_t) > ') > > optional_policy(` > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_snort.patch 2008-10-09 18:09 ` Christopher J. PeBenito 2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh 2008-10-10 20:32 ` [refpolicy] services_cyrus.patch Daniel J Walsh @ 2008-10-10 20:40 ` Daniel J Walsh 2008-10-10 20:45 ` [refpolicy] services_munin.patch Daniel J Walsh 3 siblings, 0 replies; 18+ messages in thread From: Daniel J Walsh @ 2008-10-10 20:40 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Complete kerberos patch and several small domains that use kerberos keytabs. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjvvaEACgkQrlYvE4MpobMi9QCglHrjtdZ6lWuBUnxMztGQ9NuI fvEAoM5zM+khcn65LXKylp/YubfJXBeM =GGO7 -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: services_kerberos.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/a66c95c6/attachment-0001.pl -------------- next part -------------- A non-text attachment was scrubbed... Name: services_kerberos.patch.sig Type: application/octet-stream Size: 72 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/a66c95c6/attachment-0001.obj ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_munin.patch 2008-10-09 18:09 ` Christopher J. PeBenito ` (2 preceding siblings ...) 2008-10-10 20:40 ` [refpolicy] services_snort.patch Daniel J Walsh @ 2008-10-10 20:45 ` Daniel J Walsh 3 siblings, 0 replies; 18+ messages in thread From: Daniel J Walsh @ 2008-10-10 20:45 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Add admin functions and initrc handling needs chown setuid dac_override and sys_rawhio Talks to itself over a fifo file Manages its own logfile and directories. Reads all sysctls and network state Communicates with http and munin ports Runs a ps command calls getpw* functions so needs auth_use_nsswitch Reads fonts Executes ping and ifconfig Starts fstools Communicates with mysql sends mail Add apache scripts policy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjvvuUACgkQrlYvE4MpobPetACg2mUmok882mqwAOZP7bX6/sX6 FCMAnRDO9ZINe88BuAIOMzZRCDGwVC0X =qTLK -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: services_munin.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/438a34c8/attachment.pl -------------- next part -------------- A non-text attachment was scrubbed... Name: services_munin.patch.sig Type: application/octet-stream Size: 72 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/438a34c8/attachment.obj ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_cvs.patch @ 2008-09-24 20:43 Daniel J Walsh 0 siblings, 0 replies; 18+ messages in thread From: Daniel J Walsh @ 2008-09-24 20:43 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch Add initrc script support allow admin to start/stop service Admin needs admin_pattern on all file types Add CVSWeb file context and cgi support cvs uses kerberos_keytab file -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjapl4ACgkQrlYvE4MpobPhGgCfaA5iZd2zCpLQ74FTlkN6Tdur mWYAoNKH8nQRES1r3Fe+s4BVniHBD+ZJ =tSoP -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_cvs.patch
@ 2008-10-14 20:47 Daniel J Walsh
2008-11-06 15:43 ` Christopher J. PeBenito
0 siblings, 1 reply; 18+ messages in thread
From: Daniel J Walsh @ 2008-10-14 20:47 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch
Needs
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkj1BWwACgkQrlYvE4MpobPvNwCg0HVJW/bXtbOSg7tnP3rGDpGM
hcYAn0ns0ugl0ABrH9GZVamApa/84xAP
=wPFU
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 18+ messages in thread* [refpolicy] services_cvs.patch 2008-10-14 20:47 Daniel J Walsh @ 2008-11-06 15:43 ` Christopher J. PeBenito 2008-11-06 16:31 ` Daniel J Walsh 0 siblings, 1 reply; 18+ messages in thread From: Christopher J. PeBenito @ 2008-11-06 15:43 UTC (permalink / raw) To: refpolicy On Tue, 2008-10-14 at 16:47 -0400, Daniel J Walsh wrote: > http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch > > Needs > > + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) Conflicting type transition with httpd_cvs_script_rw_t. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_cvs.patch 2008-11-06 15:43 ` Christopher J. PeBenito @ 2008-11-06 16:31 ` Daniel J Walsh 0 siblings, 0 replies; 18+ messages in thread From: Daniel J Walsh @ 2008-11-06 16:31 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christopher J. PeBenito wrote: > On Tue, 2008-10-14 at 16:47 -0400, Daniel J Walsh wrote: >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch >> >> Needs >> >> + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) > > Conflicting type transition with httpd_cvs_script_rw_t. > Alright I guess the problem here is in my version of the apache interface My apache_content_template eliminates a lot of the rules that were specific to httpd_sys_script_t and moves them into the te file. This allows me to more easily write a confined cgi script that is much tighter then the Reference policy ######################################## ## <summary> ## Create a set of derived types for apache ## web content. ## </summary> ## <param name="prefix"> ## <summary> ## The prefix to be used for deriving type names. ## </summary> ## </param> # template(`apache_content_template',` gen_require(` attribute httpd_exec_scripts; attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; ') #This type is for webpages type httpd_$1_content_t; files_type(httpd_$1_content_t) # This type is used for .htaccess files type httpd_$1_htaccess_t; files_type(httpd_$1_htaccess_t) # Type that CGI scripts run as type httpd_$1_script_t; domain_type(httpd_$1_script_t) role system_r types httpd_$1_script_t; # This type is used for executable scripts files type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) # The following three are the only areas that # scripts can read, read/write, or append to typealias httpd_$1_content_t alias httpd_$1_script_ro_t; type httpd_$1_content_rw_t; files_type(httpd_$1_content_rw_t) typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t; type httpd_$1_content_ra_t; files_type(httpd_$1_content_ra_t) typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_$1_script_t self:fifo_file rw_file_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; allow httpd_$1_script_t httpd_t:fifo_file write; # apache should set close-on-exec dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; # Allow the script process to search the cgi directory, and users directory allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) logging_search_logs(httpd_$1_script_t) can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) dev_read_rand(httpd_$1_script_t) dev_read_urand(httpd_$1_script_t) corecmd_exec_all_executables(httpd_$1_script_t) application_exec_all(httpd_$1_script_t) files_exec_etc_files(httpd_$1_script_t) files_read_etc_files(httpd_$1_script_t) files_search_home(httpd_$1_script_t) libs_use_ld_so(httpd_$1_script_t) libs_use_shared_libs(httpd_$1_script_t) libs_exec_ld_so(httpd_$1_script_t) libs_exec_lib_files(httpd_$1_script_t) miscfiles_read_fonts(httpd_$1_script_t) miscfiles_read_public_files(httpd_$1_script_t) seutil_dontaudit_search_config(httpd_$1_script_t) # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) ') tunable_policy(`httpd_enable_cgi',` allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; # apache runs the script: domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_t httpd_$1_script_exec_t:file read_file_perms; allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; allow httpd_$1_script_t self:process { setsched signal_perms }; allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; allow httpd_$1_script_t httpd_t:fd use; allow httpd_$1_script_t httpd_t:process sigchld; kernel_read_system_state(httpd_$1_script_t) dev_read_urand(httpd_$1_script_t) fs_getattr_xattr_fs(httpd_$1_script_t) files_read_etc_runtime_files(httpd_$1_script_t) files_read_usr_files(httpd_$1_script_t) libs_read_lib_files(httpd_$1_script_t) miscfiles_read_localization(httpd_$1_script_t) ') optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) ') ') optional_policy(` postgresql_unpriv_client(httpd_$1_script_t) ') optional_policy(` nscd_socket_use(httpd_$1_script_t) ') ') -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkTG/UACgkQrlYvE4MpobM1iwCgoZhxtseCjvTUNHKS8wfEx2C1 9PcAoM5r5CfRr/rhogRsGjhOlLRI9y22 =xesH -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_cvs.patch @ 2009-03-05 16:34 Daniel J Walsh 2009-03-23 15:24 ` Christopher J. PeBenito 0 siblings, 1 reply; 18+ messages in thread From: Daniel J Walsh @ 2009-03-05 16:34 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_cvs.patch Fixup read_cvs data Allow httpd_cvs_script_t to create cvs_tmp files. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmv/y4ACgkQrlYvE4MpobO4FwCgj1Xa8pD3fz4gNjuVM3yAti1p zWcAmQGAWYKv7D30w67anDFE86jsY/oN =QULe -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_cvs.patch 2009-03-05 16:34 Daniel J Walsh @ 2009-03-23 15:24 ` Christopher J. PeBenito 0 siblings, 0 replies; 18+ messages in thread From: Christopher J. PeBenito @ 2009-03-23 15:24 UTC (permalink / raw) To: refpolicy On Thu, 2009-03-05 at 12:34 -0400, Daniel J Walsh wrote: > http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_cvs.patch > > > Fixup read_cvs data > > Allow httpd_cvs_script_t to create cvs_tmp files. Merged the first part, the second part is a conflict due to Fedora's different apache policy. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_cvs.patch @ 2009-06-09 0:21 Daniel J Walsh 0 siblings, 0 replies; 18+ messages in thread From: Daniel J Walsh @ 2009-06-09 0:21 UTC (permalink / raw) To: refpolicy http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_cvs.patch Add transition rule to allow httpd script to create cvs_tmp_t files and directories. ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_cvs.patch @ 2009-11-12 21:23 Daniel J Walsh 0 siblings, 0 replies; 18+ messages in thread From: Daniel J Walsh @ 2009-11-12 21:23 UTC (permalink / raw) To: refpolicy http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_cvs.patch cvs script needs to be able to transiton in /tmp to cvs_tmp_t. ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_cvs.patch @ 2010-02-23 20:04 Daniel J Walsh 0 siblings, 0 replies; 18+ messages in thread From: Daniel J Walsh @ 2010-02-23 20:04 UTC (permalink / raw) To: refpolicy http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_cvs.patch cvs needs dac_override when it tries to read shadow cvs cgi script needs to transition files on /tmp ^ permalink raw reply [flat|nested] 18+ messages in thread
* [refpolicy] services_cvs.patch @ 2010-08-26 21:08 Daniel J Walsh 0 siblings, 0 replies; 18+ messages in thread From: Daniel J Walsh @ 2010-08-26 21:08 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_cvs.patch CVS script creates files in /tmp -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkx2184ACgkQrlYvE4MpobMLXwCfak9MjSSWhip8cOTl1CT5Th1W pYAAoLQ0G9hRFMX1xMvsTqvaXRnGexyW =WOTP -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2010-08-26 21:08 UTC | newest] Thread overview: 18+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-09-24 19:59 [refpolicy] services_snort.patch Daniel J Walsh 2008-10-09 18:09 ` Christopher J. PeBenito 2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh 2008-10-13 15:10 ` Christopher J. PeBenito 2008-10-10 20:32 ` [refpolicy] services_cyrus.patch Daniel J Walsh 2008-10-13 15:10 ` Christopher J. PeBenito 2008-10-10 20:40 ` [refpolicy] services_snort.patch Daniel J Walsh 2008-10-10 20:45 ` [refpolicy] services_munin.patch Daniel J Walsh -- strict thread matches above, loose matches on Subject: below -- 2008-09-24 20:43 [refpolicy] services_cvs.patch Daniel J Walsh 2008-10-14 20:47 Daniel J Walsh 2008-11-06 15:43 ` Christopher J. PeBenito 2008-11-06 16:31 ` Daniel J Walsh 2009-03-05 16:34 Daniel J Walsh 2009-03-23 15:24 ` Christopher J. PeBenito 2009-06-09 0:21 Daniel J Walsh 2009-11-12 21:23 Daniel J Walsh 2010-02-23 20:04 Daniel J Walsh 2010-08-26 21:08 Daniel J Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.