* [refpolicy] services_snort.patch
@ 2008-09-24 19:59 Daniel J Walsh
2008-10-09 18:09 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2008-09-24 19:59 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_snort.patch
New path for snort
snort now uses /var/run/snort
Add initrc script support
allow admin to start/stop service
Admin needs admin_pattern on all file types
snort uses the netlinkg_firewall_socket
connects to the prelude port
reads random devices
reads utmp file
resolves hostnames
playes with prelude
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjanCcACgkQrlYvE4MpobMP3QCgo2zQdPjF9tnFxRDY5UDi+GrM
YlYAniNBcZ8xRMFmtWcLHUqskeFKN8ng
=W9eu
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snort.patch
2008-09-24 19:59 [refpolicy] services_snort.patch Daniel J Walsh
@ 2008-10-09 18:09 ` Christopher J. PeBenito
2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh
` (3 more replies)
0 siblings, 4 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-10-09 18:09 UTC (permalink / raw)
To: refpolicy
On Wed, 2008-09-24 at 15:59 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_snort.patch
>
> New path for snort
>
> snort now uses /var/run/snort
>
> Add initrc script support
>
> allow admin to start/stop service
>
> Admin needs admin_pattern on all file types
>
> snort uses the netlinkg_firewall_socket
>
> connects to the prelude port
>
> reads random devices
>
> reads utmp file
>
> resolves hostnames
>
> playes with prelude
Merged, except for the prelude bits. It also sounds like that DNS
resolve should go in the prelude optional too.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_cvs.patch
2008-10-09 18:09 ` Christopher J. PeBenito
@ 2008-10-10 20:30 ` Daniel J Walsh
2008-10-13 15:10 ` Christopher J. PeBenito
2008-10-10 20:32 ` [refpolicy] services_cyrus.patch Daniel J Walsh
` (2 subsequent siblings)
3 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2008-10-10 20:30 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Add httpd cgi policy and kerberos_keytab support
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjvu4IACgkQrlYvE4MpobOG+ACdH2qVNjMHNwEutoITf2k5XcRH
1AAAoIebE+cibauYgEtQfxgtpWkvAjNW
=J70B
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_cvs.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/1322014c/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_cvs.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/1322014c/attachment.obj
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_cyrus.patch
2008-10-09 18:09 ` Christopher J. PeBenito
2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh
@ 2008-10-10 20:32 ` Daniel J Walsh
2008-10-13 15:10 ` Christopher J. PeBenito
2008-10-10 20:40 ` [refpolicy] services_snort.patch Daniel J Walsh
2008-10-10 20:45 ` [refpolicy] services_munin.patch Daniel J Walsh
3 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2008-10-10 20:32 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Add _admin support and kerberos_keytab.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjvu98ACgkQrlYvE4MpobM+OwCgqyblyjx2mD9S9ed+bpxnN7KN
uwQAn2pmMam5onEoj8c9bsB6+RSg4Jfk
=RXAW
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_cyrus.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/447a5dfc/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_cyrus.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/447a5dfc/attachment.obj
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_snort.patch
2008-10-09 18:09 ` Christopher J. PeBenito
2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh
2008-10-10 20:32 ` [refpolicy] services_cyrus.patch Daniel J Walsh
@ 2008-10-10 20:40 ` Daniel J Walsh
2008-10-10 20:45 ` [refpolicy] services_munin.patch Daniel J Walsh
3 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2008-10-10 20:40 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Complete kerberos patch and several small domains that use kerberos keytabs.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjvvaEACgkQrlYvE4MpobMi9QCglHrjtdZ6lWuBUnxMztGQ9NuI
fvEAoM5zM+khcn65LXKylp/YubfJXBeM
=GGO7
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_kerberos.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/a66c95c6/attachment-0001.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_kerberos.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/a66c95c6/attachment-0001.obj
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_munin.patch
2008-10-09 18:09 ` Christopher J. PeBenito
` (2 preceding siblings ...)
2008-10-10 20:40 ` [refpolicy] services_snort.patch Daniel J Walsh
@ 2008-10-10 20:45 ` Daniel J Walsh
3 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2008-10-10 20:45 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Add admin functions and initrc handling
needs chown setuid dac_override and sys_rawhio
Talks to itself over a fifo file
Manages its own logfile and directories.
Reads all sysctls and network state
Communicates with http and munin ports
Runs a ps command
calls getpw* functions so needs auth_use_nsswitch
Reads fonts
Executes ping and ifconfig
Starts fstools
Communicates with mysql
sends mail
Add apache scripts policy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjvvuUACgkQrlYvE4MpobPetACg2mUmok882mqwAOZP7bX6/sX6
FCMAnRDO9ZINe88BuAIOMzZRCDGwVC0X
=qTLK
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_munin.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/438a34c8/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_munin.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/438a34c8/attachment.obj
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_cyrus.patch
2008-10-10 20:32 ` [refpolicy] services_cyrus.patch Daniel J Walsh
@ 2008-10-13 15:10 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-10-13 15:10 UTC (permalink / raw)
To: refpolicy
On Fri, 2008-10-10 at 16:32 -0400, Daniel J Walsh wrote:
>
> Add _admin support and kerberos_keytab.
Merged.
>
>
>
>
>
> plain text
> document
> attachment
> (services_cyrus.patch)
>
> --- nsaserefpolicy/policy/modules/services/cyrus.fc 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.fc 2008-10-10 16:08:15.000000000 -0400
> @@ -1,3 +1,4 @@
> +/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
>
> /usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
>
> --- nsaserefpolicy/policy/modules/services/cyrus.if 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.if 2008-10-10 16:08:15.000000000 -0400
> @@ -39,3 +39,47 @@
> files_search_var_lib($1)
> stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
> ')
> +
> +########################################
> +## <summary>
> +## All of the rules required to administrate
> +## an cyrus environment
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## The role to be allowed to manage the cyrus domain.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`cyrus_admin',`
> + gen_require(`
> + type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
> + type cyrus_var_run_t;
> + type cyrus_initrc_exec_t;
> + ')
> +
> + allow $1 cyrus_t:process { ptrace signal_perms };
> + ps_process_pattern($1, cyrus_t)
> +
> + init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
> + domain_system_change_exemption($1)
> + role_transition $2 cyrus_initrc_exec_t system_r;
> + allow $2 system_r;
> +
> + files_list_tmp($1)
> + admin_pattern($1, cyrus_tmp_t)
> +
> + files_list_var_lib($1)
> + admin_pattern($1, cyrus_var_lib_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, cyrus_var_run_t)
> +')
> +
> +
> --- nsaserefpolicy/policy/modules/services/cyrus.te 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.te 2008-10-10 16:08:15.000000000 -0400
> @@ -10,6 +10,9 @@
> type cyrus_exec_t;
> init_daemon_domain(cyrus_t, cyrus_exec_t)
>
> +type cyrus_initrc_exec_t;
> +init_script_file(cyrus_initrc_exec_t)
> +
> type cyrus_tmp_t;
> files_tmp_file(cyrus_tmp_t)
>
> @@ -120,7 +123,7 @@
> ')
>
> optional_policy(`
> - kerberos_use(cyrus_t)
> + kerberos_keytab_template(cyrus, cyrus_t)
> ')
>
> optional_policy(`
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_cvs.patch
2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh
@ 2008-10-13 15:10 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-10-13 15:10 UTC (permalink / raw)
To: refpolicy
On Fri, 2008-10-10 at 16:30 -0400, Daniel J Walsh wrote:
> Add httpd cgi policy and kerberos_keytab support
Merged.
>
>
>
>
>
> plain text
> document
> attachment
> (services_cvs.patch)
>
> --- nsaserefpolicy/policy/modules/services/cvs.fc 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.fc 2008-10-10 16:08:15.000000000 -0400
> @@ -5,3 +5,6 @@
>
> /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
>
> +#CVSWeb file context
> +/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
> +/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
> --- nsaserefpolicy/policy/modules/services/cvs.if 2008-09-24 09:07:28.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.if 2008-10-10 16:08:15.000000000 -0400
> @@ -69,4 +69,13 @@
> domain_system_change_exemption($1)
> role_transition $2 cvs_initrc_exec_t system_r;
> allow $2 system_r;
> +
> + files_list_tmp($1)
> + admin_pattern($1, cvs_tmp_t)
> +
> + admin_pattern($1, cvs_data_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, cvs_var_run_t)
> ')
> +
> --- nsaserefpolicy/policy/modules/services/cvs.te 2008-09-24 09:07:28.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.te 2008-10-10 16:08:15.000000000 -0400
> @@ -99,7 +99,17 @@
> ')
>
> optional_policy(`
> - kerberos_read_keytab(cvs_t)
> + kerberos_keytab_template(cvs, cvs_t)
> kerberos_read_config(cvs_t)
> kerberos_dontaudit_write_config(cvs_t)
> ')
> +
> +########################################
> +# CVSWeb policy
> +
> +apache_content_template(cvs)
> +
> +read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
> +manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
> +manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
> +files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_munin.patch
@ 2008-10-14 20:27 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2008-10-14 20:27 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_munin.patch
Add initrc support
fix labeling on /var/log
Add _admin interface
Needs chown dav_override sys_rawio capabilities
Uses fifo files
Handle log files
Read kernel systctls and network state
Connect and bind to munin ports
dontaudit read all processes
execs ifconfig
Domtrans to ping
Calls getpw so needs auth_use_nsswith
Lists spool
Communicates with fstools and mysql Reads mta logs and sends mail
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkj1AKkACgkQrlYvE4MpobM7VACdGySOBTKcxD1kWqJzJ7WQx1ej
q6YAnAopj3EONgfJMLDxGUlFWtYAnKAY
=/uVO
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_munin.patch
@ 2009-03-24 13:49 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2009-03-24 13:49 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_munin.patch
New context for munin
Add munin_admin interface
munin_t needs chown/dac and sys_rawio capabilities
uses fifo, and execs itself
log files can be in a log directory
execs shell
communicates with the munin/apache ports
calls getpw, lists inotify
reads fonts
runs ping and ifconfig
Added http types.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_munin.patch
@ 2009-06-09 0:47 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2009-06-09 0:47 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_munin.patch
Label for munin initrc script
Fix label of /var/log/munin.*
Add cgi support
munin needs more capability and uses fifo_files can exec itself.
Add support for log file
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_munin.patch
@ 2009-11-12 21:41 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2009-11-12 21:41 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_munin.patch
munin html policy
munin uses rawio
Getattr on spool files.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_munin.patch
@ 2010-02-23 20:22 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2010-02-23 20:22 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_munin.patch
munig cgi context
Uses sock_files in /tmp
Prints stuff and looks at postfix spool
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] services_munin.patch
@ 2010-08-26 21:55 Daniel J Walsh
0 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2010-08-26 21:55 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_munin.patch
Change to use attributes for the plugins
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx24rwACgkQrlYvE4MpobM1QgCgmYGLb4GSn2Ii0Q7cdu+zU2w/
mgcAnjO3s9OweQIVRytezbqQb9eheMdZ
=kyAC
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2010-08-26 21:55 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-09-24 19:59 [refpolicy] services_snort.patch Daniel J Walsh
2008-10-09 18:09 ` Christopher J. PeBenito
2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh
2008-10-13 15:10 ` Christopher J. PeBenito
2008-10-10 20:32 ` [refpolicy] services_cyrus.patch Daniel J Walsh
2008-10-13 15:10 ` Christopher J. PeBenito
2008-10-10 20:40 ` [refpolicy] services_snort.patch Daniel J Walsh
2008-10-10 20:45 ` [refpolicy] services_munin.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2008-10-14 20:27 Daniel J Walsh
2009-03-24 13:49 Daniel J Walsh
2009-06-09 0:47 Daniel J Walsh
2009-11-12 21:41 Daniel J Walsh
2010-02-23 20:22 Daniel J Walsh
2010-08-26 21:55 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.