* [refpolicy] services_cvs.patch
@ 2008-09-24 20:43 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2008-09-24 20:43 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch
Add initrc script support
allow admin to start/stop service
Admin needs admin_pattern on all file types
Add CVSWeb file context and cgi support
cvs uses kerberos_keytab file
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjapl4ACgkQrlYvE4MpobPhGgCfaA5iZd2zCpLQ74FTlkN6Tdur
mWYAoNKH8nQRES1r3Fe+s4BVniHBD+ZJ
=tSoP
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch
2008-10-09 18:09 ` Christopher J. PeBenito
@ 2008-10-10 20:30 ` Daniel J Walsh
2008-10-13 15:10 ` Christopher J. PeBenito
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2008-10-10 20:30 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Add httpd cgi policy and kerberos_keytab support
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjvu4IACgkQrlYvE4MpobOG+ACdH2qVNjMHNwEutoITf2k5XcRH
1AAAoIebE+cibauYgEtQfxgtpWkvAjNW
=J70B
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_cvs.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/1322014c/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_cvs.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/1322014c/attachment.obj
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch
2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh
@ 2008-10-13 15:10 ` Christopher J. PeBenito
0 siblings, 0 replies; 12+ messages in thread
From: Christopher J. PeBenito @ 2008-10-13 15:10 UTC (permalink / raw)
To: refpolicy
On Fri, 2008-10-10 at 16:30 -0400, Daniel J Walsh wrote:
> Add httpd cgi policy and kerberos_keytab support
Merged.
>
>
>
>
>
> plain text
> document
> attachment
> (services_cvs.patch)
>
> --- nsaserefpolicy/policy/modules/services/cvs.fc 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.fc 2008-10-10 16:08:15.000000000 -0400
> @@ -5,3 +5,6 @@
>
> /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
>
> +#CVSWeb file context
> +/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
> +/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
> --- nsaserefpolicy/policy/modules/services/cvs.if 2008-09-24 09:07:28.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.if 2008-10-10 16:08:15.000000000 -0400
> @@ -69,4 +69,13 @@
> domain_system_change_exemption($1)
> role_transition $2 cvs_initrc_exec_t system_r;
> allow $2 system_r;
> +
> + files_list_tmp($1)
> + admin_pattern($1, cvs_tmp_t)
> +
> + admin_pattern($1, cvs_data_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, cvs_var_run_t)
> ')
> +
> --- nsaserefpolicy/policy/modules/services/cvs.te 2008-09-24 09:07:28.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.te 2008-10-10 16:08:15.000000000 -0400
> @@ -99,7 +99,17 @@
> ')
>
> optional_policy(`
> - kerberos_read_keytab(cvs_t)
> + kerberos_keytab_template(cvs, cvs_t)
> kerberos_read_config(cvs_t)
> kerberos_dontaudit_write_config(cvs_t)
> ')
> +
> +########################################
> +# CVSWeb policy
> +
> +apache_content_template(cvs)
> +
> +read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
> +manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
> +manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
> +files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch
@ 2008-10-14 20:47 Daniel J Walsh
2008-11-06 15:43 ` Christopher J. PeBenito
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2008-10-14 20:47 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch
Needs
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkj1BWwACgkQrlYvE4MpobPvNwCg0HVJW/bXtbOSg7tnP3rGDpGM
hcYAn0ns0ugl0ABrH9GZVamApa/84xAP
=wPFU
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch
2008-10-14 20:47 Daniel J Walsh
@ 2008-11-06 15:43 ` Christopher J. PeBenito
2008-11-06 16:31 ` Daniel J Walsh
0 siblings, 1 reply; 12+ messages in thread
From: Christopher J. PeBenito @ 2008-11-06 15:43 UTC (permalink / raw)
To: refpolicy
On Tue, 2008-10-14 at 16:47 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch
>
> Needs
>
> + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
Conflicting type transition with httpd_cvs_script_rw_t.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch
2008-11-06 15:43 ` Christopher J. PeBenito
@ 2008-11-06 16:31 ` Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2008-11-06 16:31 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Tue, 2008-10-14 at 16:47 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch
>>
>> Needs
>>
>> + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
>
> Conflicting type transition with httpd_cvs_script_rw_t.
>
Alright I guess the problem here is in my version of the apache interface
My apache_content_template eliminates a lot of the rules that were
specific to httpd_sys_script_t and moves them into the te file. This
allows me to more easily write a confined cgi script that is much
tighter then the Reference policy
########################################
## <summary>
## Create a set of derived types for apache
## web content.
## </summary>
## <param name="prefix">
## <summary>
## The prefix to be used for deriving type names.
## </summary>
## </param>
#
template(`apache_content_template',`
gen_require(`
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
#This type is for webpages
type httpd_$1_content_t;
files_type(httpd_$1_content_t)
# This type is used for .htaccess files
type httpd_$1_htaccess_t;
files_type(httpd_$1_htaccess_t)
# Type that CGI scripts run as
type httpd_$1_script_t;
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
# This type is used for executable scripts files
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
# The following three are the only areas that
# scripts can read, read/write, or append to
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
type httpd_$1_content_rw_t;
files_type(httpd_$1_content_rw_t)
typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t;
type httpd_$1_content_ra_t;
files_type(httpd_$1_content_ra_t)
typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t
httpd_$1_script_exec_t }:dir search_dir_perms;
allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t
httpd_$1_script_exec_t }:dir search_dir_perms;
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
allow httpd_$1_script_t httpd_t:fifo_file write;
# apache should set close-on-exec
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
# Allow the script process to search the cgi directory, and users directory
allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_$1_script_t, httpd_$1_content_t,
httpd_$1_content_t)
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t,
httpd_$1_content_t)
append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
logging_search_logs(httpd_$1_script_t)
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms
add_entry_dir_perms };
read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
dev_read_rand(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
application_exec_all(httpd_$1_script_t)
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
files_search_home(httpd_$1_script_t)
libs_use_ld_so(httpd_$1_script_t)
libs_use_shared_libs(httpd_$1_script_t)
libs_exec_ld_so(httpd_$1_script_t)
libs_exec_lib_files(httpd_$1_script_t)
miscfiles_read_fonts(httpd_$1_script_t)
miscfiles_read_public_files(httpd_$1_script_t)
seutil_dontaudit_search_config(httpd_$1_script_t)
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
manage_files_pattern(httpd_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms
add_entry_dir_perms };
read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
append_files_pattern(httpd_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
')
tunable_policy(`httpd_enable_cgi',`
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t,
httpd_$1_script_t)
allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
# apache runs the script:
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t self:process { setsched signal_perms };
allow httpd_$1_script_t self:unix_stream_socket
create_stream_socket_perms;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
kernel_read_system_state(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
fs_getattr_xattr_fs(httpd_$1_script_t)
files_read_etc_runtime_files(httpd_$1_script_t)
files_read_usr_files(httpd_$1_script_t)
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
')
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
')
')
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
')
optional_policy(`
nscd_socket_use(httpd_$1_script_t)
')
')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkTG/UACgkQrlYvE4MpobM1iwCgoZhxtseCjvTUNHKS8wfEx2C1
9PcAoM5r5CfRr/rhogRsGjhOlLRI9y22
=xesH
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch
@ 2009-03-05 16:34 Daniel J Walsh
2009-03-23 15:24 ` Christopher J. PeBenito
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2009-03-05 16:34 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_cvs.patch
Fixup read_cvs data
Allow httpd_cvs_script_t to create cvs_tmp files.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmv/y4ACgkQrlYvE4MpobO4FwCgj1Xa8pD3fz4gNjuVM3yAti1p
zWcAmQGAWYKv7D30w67anDFE86jsY/oN
=QULe
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch
2009-03-05 16:34 Daniel J Walsh
@ 2009-03-23 15:24 ` Christopher J. PeBenito
0 siblings, 0 replies; 12+ messages in thread
From: Christopher J. PeBenito @ 2009-03-23 15:24 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-03-05 at 12:34 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_cvs.patch
>
>
> Fixup read_cvs data
>
> Allow httpd_cvs_script_t to create cvs_tmp files.
Merged the first part, the second part is a conflict due to Fedora's
different apache policy.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch
@ 2009-06-09 0:21 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2009-06-09 0:21 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_cvs.patch
Add transition rule to allow httpd script to create cvs_tmp_t files and
directories.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch
@ 2009-11-12 21:23 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2009-11-12 21:23 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_cvs.patch
cvs script needs to be able to transiton in /tmp to cvs_tmp_t.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch
@ 2010-02-23 20:04 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2010-02-23 20:04 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_cvs.patch
cvs needs dac_override when it tries to read shadow
cvs cgi script needs to transition files on /tmp
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] services_cvs.patch
@ 2010-08-26 21:08 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2010-08-26 21:08 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_cvs.patch
CVS script creates files in /tmp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx2184ACgkQrlYvE4MpobMLXwCfak9MjSSWhip8cOTl1CT5Th1W
pYAAoLQ0G9hRFMX1xMvsTqvaXRnGexyW
=WOTP
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2010-08-26 21:08 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-06-09 0:21 [refpolicy] services_cvs.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2010-08-26 21:08 Daniel J Walsh
2010-02-23 20:04 Daniel J Walsh
2009-11-12 21:23 Daniel J Walsh
2009-03-05 16:34 Daniel J Walsh
2009-03-23 15:24 ` Christopher J. PeBenito
2008-10-14 20:47 Daniel J Walsh
2008-11-06 15:43 ` Christopher J. PeBenito
2008-11-06 16:31 ` Daniel J Walsh
2008-09-24 20:43 Daniel J Walsh
2008-09-24 19:59 [refpolicy] services_snort.patch Daniel J Walsh
2008-10-09 18:09 ` Christopher J. PeBenito
2008-10-10 20:30 ` [refpolicy] services_cvs.patch Daniel J Walsh
2008-10-13 15:10 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.