* [refpolicy] services_cvs.patch @ 2009-03-05 16:34 Daniel J Walsh 2009-03-23 15:24 ` Christopher J. PeBenito 0 siblings, 1 reply; 12+ messages in thread From: Daniel J Walsh @ 2009-03-05 16:34 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_cvs.patch Fixup read_cvs data Allow httpd_cvs_script_t to create cvs_tmp files. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmv/y4ACgkQrlYvE4MpobO4FwCgj1Xa8pD3fz4gNjuVM3yAti1p zWcAmQGAWYKv7D30w67anDFE86jsY/oN =QULe -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch 2009-03-05 16:34 [refpolicy] services_cvs.patch Daniel J Walsh @ 2009-03-23 15:24 ` Christopher J. PeBenito 0 siblings, 0 replies; 12+ messages in thread From: Christopher J. PeBenito @ 2009-03-23 15:24 UTC (permalink / raw) To: refpolicy On Thu, 2009-03-05 at 12:34 -0400, Daniel J Walsh wrote: > http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_cvs.patch > > > Fixup read_cvs data > > Allow httpd_cvs_script_t to create cvs_tmp files. Merged the first part, the second part is a conflict due to Fedora's different apache policy. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch @ 2010-08-26 21:08 Daniel J Walsh 0 siblings, 0 replies; 12+ messages in thread From: Daniel J Walsh @ 2010-08-26 21:08 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_cvs.patch CVS script creates files in /tmp -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkx2184ACgkQrlYvE4MpobMLXwCfak9MjSSWhip8cOTl1CT5Th1W pYAAoLQ0G9hRFMX1xMvsTqvaXRnGexyW =WOTP -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch @ 2010-02-23 20:04 Daniel J Walsh 0 siblings, 0 replies; 12+ messages in thread From: Daniel J Walsh @ 2010-02-23 20:04 UTC (permalink / raw) To: refpolicy http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_cvs.patch cvs needs dac_override when it tries to read shadow cvs cgi script needs to transition files on /tmp ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch @ 2009-11-12 21:23 Daniel J Walsh 0 siblings, 0 replies; 12+ messages in thread From: Daniel J Walsh @ 2009-11-12 21:23 UTC (permalink / raw) To: refpolicy http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_cvs.patch cvs script needs to be able to transiton in /tmp to cvs_tmp_t. ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch @ 2009-06-09 0:21 Daniel J Walsh 0 siblings, 0 replies; 12+ messages in thread From: Daniel J Walsh @ 2009-06-09 0:21 UTC (permalink / raw) To: refpolicy http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_cvs.patch Add transition rule to allow httpd script to create cvs_tmp_t files and directories. ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch
@ 2008-10-14 20:47 Daniel J Walsh
2008-11-06 15:43 ` Christopher J. PeBenito
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2008-10-14 20:47 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch
Needs
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkj1BWwACgkQrlYvE4MpobPvNwCg0HVJW/bXtbOSg7tnP3rGDpGM
hcYAn0ns0ugl0ABrH9GZVamApa/84xAP
=wPFU
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 12+ messages in thread* [refpolicy] services_cvs.patch 2008-10-14 20:47 Daniel J Walsh @ 2008-11-06 15:43 ` Christopher J. PeBenito 2008-11-06 16:31 ` Daniel J Walsh 0 siblings, 1 reply; 12+ messages in thread From: Christopher J. PeBenito @ 2008-11-06 15:43 UTC (permalink / raw) To: refpolicy On Tue, 2008-10-14 at 16:47 -0400, Daniel J Walsh wrote: > http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch > > Needs > > + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) Conflicting type transition with httpd_cvs_script_rw_t. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch 2008-11-06 15:43 ` Christopher J. PeBenito @ 2008-11-06 16:31 ` Daniel J Walsh 0 siblings, 0 replies; 12+ messages in thread From: Daniel J Walsh @ 2008-11-06 16:31 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christopher J. PeBenito wrote: > On Tue, 2008-10-14 at 16:47 -0400, Daniel J Walsh wrote: >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch >> >> Needs >> >> + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) > > Conflicting type transition with httpd_cvs_script_rw_t. > Alright I guess the problem here is in my version of the apache interface My apache_content_template eliminates a lot of the rules that were specific to httpd_sys_script_t and moves them into the te file. This allows me to more easily write a confined cgi script that is much tighter then the Reference policy ######################################## ## <summary> ## Create a set of derived types for apache ## web content. ## </summary> ## <param name="prefix"> ## <summary> ## The prefix to be used for deriving type names. ## </summary> ## </param> # template(`apache_content_template',` gen_require(` attribute httpd_exec_scripts; attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; ') #This type is for webpages type httpd_$1_content_t; files_type(httpd_$1_content_t) # This type is used for .htaccess files type httpd_$1_htaccess_t; files_type(httpd_$1_htaccess_t) # Type that CGI scripts run as type httpd_$1_script_t; domain_type(httpd_$1_script_t) role system_r types httpd_$1_script_t; # This type is used for executable scripts files type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) # The following three are the only areas that # scripts can read, read/write, or append to typealias httpd_$1_content_t alias httpd_$1_script_ro_t; type httpd_$1_content_rw_t; files_type(httpd_$1_content_rw_t) typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t; type httpd_$1_content_ra_t; files_type(httpd_$1_content_ra_t) typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_$1_script_t self:fifo_file rw_file_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; allow httpd_$1_script_t httpd_t:fifo_file write; # apache should set close-on-exec dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; # Allow the script process to search the cgi directory, and users directory allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) logging_search_logs(httpd_$1_script_t) can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) dev_read_rand(httpd_$1_script_t) dev_read_urand(httpd_$1_script_t) corecmd_exec_all_executables(httpd_$1_script_t) application_exec_all(httpd_$1_script_t) files_exec_etc_files(httpd_$1_script_t) files_read_etc_files(httpd_$1_script_t) files_search_home(httpd_$1_script_t) libs_use_ld_so(httpd_$1_script_t) libs_use_shared_libs(httpd_$1_script_t) libs_exec_ld_so(httpd_$1_script_t) libs_exec_lib_files(httpd_$1_script_t) miscfiles_read_fonts(httpd_$1_script_t) miscfiles_read_public_files(httpd_$1_script_t) seutil_dontaudit_search_config(httpd_$1_script_t) # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) ') tunable_policy(`httpd_enable_cgi',` allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; # apache runs the script: domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_t httpd_$1_script_exec_t:file read_file_perms; allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; allow httpd_$1_script_t self:process { setsched signal_perms }; allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; allow httpd_$1_script_t httpd_t:fd use; allow httpd_$1_script_t httpd_t:process sigchld; kernel_read_system_state(httpd_$1_script_t) dev_read_urand(httpd_$1_script_t) fs_getattr_xattr_fs(httpd_$1_script_t) files_read_etc_runtime_files(httpd_$1_script_t) files_read_usr_files(httpd_$1_script_t) libs_read_lib_files(httpd_$1_script_t) miscfiles_read_localization(httpd_$1_script_t) ') optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) ') ') optional_policy(` postgresql_unpriv_client(httpd_$1_script_t) ') optional_policy(` nscd_socket_use(httpd_$1_script_t) ') ') -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkTG/UACgkQrlYvE4MpobM1iwCgoZhxtseCjvTUNHKS8wfEx2C1 9PcAoM5r5CfRr/rhogRsGjhOlLRI9y22 =xesH -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch @ 2008-09-24 20:43 Daniel J Walsh 0 siblings, 0 replies; 12+ messages in thread From: Daniel J Walsh @ 2008-09-24 20:43 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch Add initrc script support allow admin to start/stop service Admin needs admin_pattern on all file types Add CVSWeb file context and cgi support cvs uses kerberos_keytab file -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjapl4ACgkQrlYvE4MpobPhGgCfaA5iZd2zCpLQ74FTlkN6Tdur mWYAoNKH8nQRES1r3Fe+s4BVniHBD+ZJ =tSoP -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_snort.patch @ 2008-09-24 19:59 Daniel J Walsh 2008-10-09 18:09 ` Christopher J. PeBenito 0 siblings, 1 reply; 12+ messages in thread From: Daniel J Walsh @ 2008-09-24 19:59 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_snort.patch New path for snort snort now uses /var/run/snort Add initrc script support allow admin to start/stop service Admin needs admin_pattern on all file types snort uses the netlinkg_firewall_socket connects to the prelude port reads random devices reads utmp file resolves hostnames playes with prelude -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjanCcACgkQrlYvE4MpobMP3QCgo2zQdPjF9tnFxRDY5UDi+GrM YlYAniNBcZ8xRMFmtWcLHUqskeFKN8ng =W9eu -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_snort.patch 2008-09-24 19:59 [refpolicy] services_snort.patch Daniel J Walsh @ 2008-10-09 18:09 ` Christopher J. PeBenito 2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh 0 siblings, 1 reply; 12+ messages in thread From: Christopher J. PeBenito @ 2008-10-09 18:09 UTC (permalink / raw) To: refpolicy On Wed, 2008-09-24 at 15:59 -0400, Daniel J Walsh wrote: > http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_snort.patch > > New path for snort > > snort now uses /var/run/snort > > Add initrc script support > > allow admin to start/stop service > > Admin needs admin_pattern on all file types > > snort uses the netlinkg_firewall_socket > > connects to the prelude port > > reads random devices > > reads utmp file > > resolves hostnames > > playes with prelude Merged, except for the prelude bits. It also sounds like that DNS resolve should go in the prelude optional too. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch 2008-10-09 18:09 ` Christopher J. PeBenito @ 2008-10-10 20:30 ` Daniel J Walsh 2008-10-13 15:10 ` Christopher J. PeBenito 0 siblings, 1 reply; 12+ messages in thread From: Daniel J Walsh @ 2008-10-10 20:30 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Add httpd cgi policy and kerberos_keytab support -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjvu4IACgkQrlYvE4MpobOG+ACdH2qVNjMHNwEutoITf2k5XcRH 1AAAoIebE+cibauYgEtQfxgtpWkvAjNW =J70B -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: services_cvs.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/1322014c/attachment.pl -------------- next part -------------- A non-text attachment was scrubbed... Name: services_cvs.patch.sig Type: application/octet-stream Size: 72 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/1322014c/attachment.obj ^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch 2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh @ 2008-10-13 15:10 ` Christopher J. PeBenito 0 siblings, 0 replies; 12+ messages in thread From: Christopher J. PeBenito @ 2008-10-13 15:10 UTC (permalink / raw) To: refpolicy On Fri, 2008-10-10 at 16:30 -0400, Daniel J Walsh wrote: > Add httpd cgi policy and kerberos_keytab support Merged. > > > > > > plain text > document > attachment > (services_cvs.patch) > > --- nsaserefpolicy/policy/modules/services/cvs.fc 2008-08-07 11:15:11.000000000 -0400 > +++ serefpolicy-3.5.12/policy/modules/services/cvs.fc 2008-10-10 16:08:15.000000000 -0400 > @@ -5,3 +5,6 @@ > > /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) > > +#CVSWeb file context > +/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) > +/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) > --- nsaserefpolicy/policy/modules/services/cvs.if 2008-09-24 09:07:28.000000000 -0400 > +++ serefpolicy-3.5.12/policy/modules/services/cvs.if 2008-10-10 16:08:15.000000000 -0400 > @@ -69,4 +69,13 @@ > domain_system_change_exemption($1) > role_transition $2 cvs_initrc_exec_t system_r; > allow $2 system_r; > + > + files_list_tmp($1) > + admin_pattern($1, cvs_tmp_t) > + > + admin_pattern($1, cvs_data_t) > + > + files_list_pids($1) > + admin_pattern($1, cvs_var_run_t) > ') > + > --- nsaserefpolicy/policy/modules/services/cvs.te 2008-09-24 09:07:28.000000000 -0400 > +++ serefpolicy-3.5.12/policy/modules/services/cvs.te 2008-10-10 16:08:15.000000000 -0400 > @@ -99,7 +99,17 @@ > ') > > optional_policy(` > - kerberos_read_keytab(cvs_t) > + kerberos_keytab_template(cvs, cvs_t) > kerberos_read_config(cvs_t) > kerberos_dontaudit_write_config(cvs_t) > ') > + > +######################################## > +# CVSWeb policy > + > +apache_content_template(cvs) > + > +read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) > +manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) > +manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) > +files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2010-08-26 21:08 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-03-05 16:34 [refpolicy] services_cvs.patch Daniel J Walsh 2009-03-23 15:24 ` Christopher J. PeBenito -- strict thread matches above, loose matches on Subject: below -- 2010-08-26 21:08 Daniel J Walsh 2010-02-23 20:04 Daniel J Walsh 2009-11-12 21:23 Daniel J Walsh 2009-06-09 0:21 Daniel J Walsh 2008-10-14 20:47 Daniel J Walsh 2008-11-06 15:43 ` Christopher J. PeBenito 2008-11-06 16:31 ` Daniel J Walsh 2008-09-24 20:43 Daniel J Walsh 2008-09-24 19:59 [refpolicy] services_snort.patch Daniel J Walsh 2008-10-09 18:09 ` Christopher J. PeBenito 2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh 2008-10-13 15:10 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.