diff for duplicates of <4C5259CF.4000801@ak.jp.nec.com> diff --git a/a/1.txt b/N1/1.txt index 1a1a75e..ec8c2ca 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -72,3 +72,10 @@ This patch adds 'kv_item' class with the following permissions Thanks, Any comments please. -- KaiGai Kohei <kaigai@ak.jp.nec.com> +-------------- next part -------------- +A non-text attachment was scrubbed... +Name: refpolicy-memcached.1.patch +Type: text/x-patch +Size: 12660 bytes +Desc: not available +Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100730/2c5c8356/attachment.bin diff --git a/a/2.hdr b/a/2.hdr deleted file mode 100644 index 34cab3e..0000000 --- a/a/2.hdr +++ /dev/null @@ -1,5 +0,0 @@ -Content-Type: text/x-patch; - name="refpolicy-memcached.1.patch" -Content-Transfer-Encoding: 7bit -Content-Disposition: attachment; - filename="refpolicy-memcached.1.patch" diff --git a/a/2.txt b/a/2.txt deleted file mode 100644 index 8cc4d93..0000000 --- a/a/2.txt +++ /dev/null @@ -1,451 +0,0 @@ -diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index 6760c95..1e1a6a3 100644 ---- a/policy/flask/access_vectors -+++ b/policy/flask/access_vectors -@@ -816,3 +816,17 @@ inherits x_device - - class x_keyboard - inherits x_device -+ -+class kv_item -+{ -+ create -+ getattr -+ setattr -+ remove -+ relabelfrom -+ relabelto -+ read -+ write -+ append -+ calculate -+} -diff --git a/policy/flask/security_classes b/policy/flask/security_classes -index fa65db2..9ace105 100644 ---- a/policy/flask/security_classes -+++ b/policy/flask/security_classes -@@ -125,4 +125,7 @@ class tun_socket - class x_pointer # userspace - class x_keyboard # userspace - -+# key-value-store, such as memcached -+class kv_item # userspace -+ - # FLASK -diff --git a/policy/mcs b/policy/mcs -index af90ef2..bcc0c54 100644 ---- a/policy/mcs -+++ b/policy/mcs -@@ -132,4 +132,13 @@ mlsconstrain db_procedure { drop getattr setattr execute install } - mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } - ( h1 dom h2 ); - -+# -+# MCS policy for key-value items with SELinux support -+# -+mlsconstrain kv_item { create relabelto } -+ (( h1 dom h2 ) and ( l2 eq h2 )); -+ -+mlsconstrain kv_item { getattr setattr remove read write append calculate } -+ ( h1 dom h2 ); -+ - ') dnl end enable_mcs -diff --git a/policy/mls b/policy/mls -index b9f0a3e..75a5b98 100644 ---- a/policy/mls -+++ b/policy/mls -@@ -827,4 +827,42 @@ mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob - (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or - (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 )))); - -+# -+# MLS policy for key-value store -+# -+ -+# make sure kv_item has single level -+mlsconstrain { kv_item } { create relabelto } -+ ( l2 eq h2 ); -+ -+# new label must be dominated by the subjects clearance -+mlsconstrain { kv_item } { relabelto } -+ ( h1 dom h2 ); -+ -+# the key-value item "read" operations -+mlsconstrain { kv_item } { getattr read } -+ (( l1 dom l2 ) or -+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or -+ ( t1 == mlsdbread ) or -+ ( t2 == mlstrustedobject )); -+ -+# the key-value item "write" operations -+mlsconstrain { kv_item } { create remove setattr write append calculate } -+ (( l1 eq l2 ) or -+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or -+ ( t1 == mlsdbwrite ) or -+ ( t2 == mlstrustedobject )); -+ -+# the key-value item upgrade/downgrade rule -+mlsvalidatetrans { kv_item } -+ ((( l1 eq l2 ) or -+ (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or -+ (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or -+ (( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and -+ (( l1 eq h2 ) or -+ (( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or -+ (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or -+ (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 )))); -+ - ') dnl end enable_mls -diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 30754e4..c447f70 100644 ---- a/policy/modules/roles/staff.te -+++ b/policy/modules/roles/staff.te -@@ -79,6 +79,10 @@ optional_policy(` - ') - - optional_policy(` -+ memcached_role(staff_r, staff_t) -+') -+ -+optional_policy(` - mozilla_role(staff_r, staff_t) - ') - -diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index d5d5042..f737a33 100644 ---- a/policy/modules/roles/unprivuser.te -+++ b/policy/modules/roles/unprivuser.te -@@ -73,6 +73,10 @@ optional_policy(` - ') - - optional_policy(` -+ memcached_role(user_r, user_t) -+') -+ -+optional_policy(` - mozilla_role(user_r, user_t) - ') - -diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index 57feb5a..9fe608d 100644 ---- a/policy/modules/services/apache.if -+++ b/policy/modules/services/apache.if -@@ -175,6 +175,14 @@ template(`apache_content_template',` - ') - - optional_policy(` -+ memcached_unpriv_client(httpd_$1_script_t) -+ -+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -+ memcached_tcp_connect(httpd_$1_script_t) -+ ') -+ ') -+ -+ optional_policy(` - tunable_policy(`httpd_enable_cgi && allow_ypbind',` - nis_use_ypbind_uncond(httpd_$1_script_t) - ') -diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index e33b9cd..da1b513 100644 ---- a/policy/modules/services/apache.te -+++ b/policy/modules/services/apache.te -@@ -570,6 +570,16 @@ optional_policy(` - ') - - optional_policy(` -+ # Allow httpd to work with memcached -+ memcached_stream_connect(httpd_t) -+ memcached_unpriv_client(httpd_t) -+ -+ tunable_policy(`httpd_can_network_connect_db',` -+ memcached_tcp_connect(httpd_t) -+ ') -+') -+ -+optional_policy(` - openca_domtrans(httpd_t) - openca_signal(httpd_t) - openca_sigstop(httpd_t) -diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if -index db4fd6f..9f2e07b 100644 ---- a/policy/modules/services/memcached.if -+++ b/policy/modules/services/memcached.if -@@ -71,3 +71,148 @@ interface(`memcached_admin',` - - admin_pattern($1, memcached_var_run_t) - ') -+ -+######################################## -+## <summary> -+## Marks as a memcached key/value item type -+## </summary> -+## <param name="type"> -+## <summary> -+## Type marked as a memcached key/value item type. -+## </summary> -+## </param> -+# -+interface(`memcached_item_object',` -+ gen_require(` -+ attribute memcached_item_type; -+ ') -+ -+ typeattribute $1 memcached_item_type; -+') -+ -+######################################## -+## <summary> -+## Allow the specified domain to connect to memcached with a tcp socket. -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain allowed access. -+## </summary> -+## </param> -+# -+interface(`memcached_tcp_connect',` -+ gen_require(` -+ type memcached_t; -+ ') -+ -+ corenet_tcp_recvfrom_labeled($1, memcached_t) -+ corenet_tcp_sendrecv_memcache_port($1) -+ corenet_tcp_connect_memcache_port($1) -+ corenet_sendrecv_memcache_client_packets($1) -+') -+ -+######################################## -+## <summary> -+## Allow the specified domain to connect to memcached with a unix socket. -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain allowed access. -+## </summary> -+## </param> -+## <rolecap/> -+# -+interface(`memcached_stream_connect',` -+ gen_require(` -+ type memcached_t; -+ type memcached_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 memcached_t:unix_stream_socket connectto; -+ # we recommend to put the sock file in /var/run/memcached -+ rw_sock_files_pattern($1, memcached_var_run_t, memcached_var_run_t) -+') -+ -+######################################## -+## <summary> -+## Allow the specified domain unconfined accesses to any memcached items. -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain allowed access. -+## </summary> -+## </param> -+# -+interface(`memcached_unconfined',` -+ gen_require(` -+ attribute memcached_unconfined_type; -+ ') -+ typeattribute $1 memcached_unconfined_type; -+') -+ -+####################################### -+## <summary> -+## Role access to memcached with SELinux suport -+## </summary> -+## <param name="user_role"> -+## <summary> -+## The role associated with the user domain. -+## </summary> -+## </param> -+## <param name="user_domain"> -+## <summary> -+## The type of the user domain. -+## </summary> -+## </param> -+# -+interface(`memcached_role',` -+ gen_require(` -+ class kv_item all_kv_item_perms; -+ -+ attribute memcached_client_type; -+ type memcached_t; -+ type user_memcached_item_t; -+ ') -+ -+ ######################################## -+ # -+ # Client local policy -+ # -+ typeattribute $2 memcached_client_type; -+ -+ type_transition $2 memcached_t:kv_item user_memcached_item_t; -+ -+ allow $2 user_memcached_item_t:kv_item { create getattr setattr remove read write append calculate }; -+') -+ -+######################################## -+## <summary> -+## Allow the specified domain unprivileged accesses to unifined key-value -+## items managed by memcached with SELinux support. -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain allowed access. -+## </summary> -+## </param> -+# -+interface(`memcached_unpriv_client',` -+ gen_require(` -+ class kv_item all_kv_item_perms; -+ -+ attribute memcached_client_type; -+ type memcached_t; -+ type unpriv_memcached_item_t; -+ ') -+ -+ ######################################## -+ # -+ # Client local policy -+ # -+ typeattribute $1 memcached_client_type; -+ -+ type_transition $1 memcached_t:kv_item unpriv_memcached_item_t; -+ -+ allow $1 unpriv_memcached_item_t:kv_item { create getattr setattr remove read write calculate }; -+') -diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te -index b681608..854d904 100644 ---- a/policy/modules/services/memcached.te -+++ b/policy/modules/services/memcached.te -@@ -15,6 +15,33 @@ init_script_file(memcached_initrc_exec_t) - type memcached_var_run_t; - files_pid_file(memcached_var_run_t) - -+type memcached_db_t; -+files_type(memcached_db_t) -+ -+# memcached clients -+attribute memcached_client_type; -+attribute memcached_unconfined_type; -+ -+# memcached key/value items -+attribute memcached_item_type; -+ -+type memcached_item_t; -+memcached_item_object(memcached_item_t) -+ -+type memcached_ro_item_t; -+memcached_item_object(memcached_ro_item_t) -+ -+type memcached_secret_item_t; -+memcached_item_object(memcached_secret_item_t) -+ -+type user_memcached_item_t; -+typealias user_memcached_item_t alias { staff_memcached_item_t sysadm_memcached_item_t }; -+typealias user_memcached_item_t alias { auditadm_memcached_item_t secadm_memcached_item_t }; -+memcached_item_object(user_memcached_item_t) -+ -+type unpriv_memcached_item_t; -+memcached_item_object(unpriv_memcached_item_t) -+ - ######################################## - # - # memcached local policy -@@ -27,6 +54,7 @@ allow memcached_t self:tcp_socket create_stream_socket_perms; - allow memcached_t self:udp_socket { create_socket_perms listen }; - allow memcached_t self:fifo_file rw_fifo_file_perms; - allow memcached_t self:unix_stream_socket create_stream_socket_perms; -+allow memcached_t self:netlink_selinux_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(memcached_t) - corenet_udp_sendrecv_generic_if(memcached_t) -@@ -42,17 +70,41 @@ corenet_udp_bind_memcache_port(memcached_t) - - manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) - manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -+manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) - files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir }) - -+manage_files_pattern(memcached_t, memcached_db_t, memcached_db_t) -+ - kernel_read_kernel_sysctls(memcached_t) - kernel_read_system_state(memcached_t) - - files_read_etc_files(memcached_t) - -+selinux_get_enforce_mode(memcached_t) -+selinux_validate_context(memcached_t) -+selinux_compute_access_vector(memcached_t) -+selinux_compute_create_context(memcached_t) -+selinux_compute_relabel_context(memcached_t) -+ - term_dontaudit_use_all_ptys(memcached_t) - term_dontaudit_use_all_ttys(memcached_t) - term_dontaudit_use_console(memcached_t) - - auth_use_nsswitch(memcached_t) - -+logging_send_audit_msgs(memcached_t) -+ - miscfiles_read_localization(memcached_t) -+ -+######################################## -+# -+# Rules to managed items by memcached with SELinux support -+# -+gen_require(` -+ class kv_item all_kv_item_perms; -+') -+ -+allow memcached_client_type memcached_item_t:kv_item { getattr setattr read write append calculate }; -+allow memcached_client_type memcached_ro_item_t:kv_item { getattr read }; -+type_transition memcached_unconfined_type memcached_t:kv_item memcached_item_t; -+allow memcached_unconfined_type memcached_item_type:kv_item *; -diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index c11cb30..85645fc 100644 ---- a/policy/modules/system/unconfined.if -+++ b/policy/modules/system/unconfined.if -@@ -77,6 +77,10 @@ interface(`unconfined_domain_noaudit',` - ') - - optional_policy(` -+ memcached_unconfined($1) -+ ') -+ -+ optional_policy(` - nscd_unconfined($1) - ') - -diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index fafdd3d..525f3b0 100644 ---- a/policy/modules/system/userdomain.if -+++ b/policy/modules/system/userdomain.if -@@ -626,6 +626,11 @@ template(`userdom_common_user_template',` - locate_read_lib_files($1_t) - ') - -+ optional_policy(` -+ memcached_stream_connect($1_t) -+ memcached_tcp_connect($1_t) -+ ') -+ - # for running depmod as part of the kernel packaging process - optional_policy(` - modutils_read_module_config($1_t) -@@ -1159,6 +1164,10 @@ template(`userdom_admin_user_template',` - ') - - optional_policy(` -+ memcached_unconfined($1_t) -+ ') -+ -+ optional_policy(` - postgresql_unconfined($1_t) - ') diff --git a/a/content_digest b/N1/content_digest index a8e936d..68abaf0 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,11 +1,8 @@ - "From\0KaiGai Kohei <kaigai@ak.jp.nec.com>\0" - "Subject\0memcached permissions\0" + "From\0kaigai@ak.jp.nec.com (KaiGai Kohei)\0" + "Subject\0[refpolicy] memcached permissions\0" "Date\0Fri, 30 Jul 2010 13:49:19 +0900\0" - "To\0Christopher J. PeBenito <cpebenito@tresys.com>\0" - "Cc\0SELinux <selinux@tycho.nsa.gov>" - Reference Policy <refpolicy@oss1.tresys.com> - " Memcached <memcached@googlegroups.com>\0" - "\01:1\0" + "To\0refpolicy@oss.tresys.com\0" + "\00:1\0" "b\0" "I'll mainly submit the patch and message to SELinux community,\n" "but please don't hesitate to comment anything from memcached\n" @@ -80,460 +77,13 @@ "\n" "Thanks, Any comments please.\n" "-- \n" - KaiGai Kohei <kaigai@ak.jp.nec.com> - "\01:2\0" - "fn\0refpolicy-memcached.1.patch\0" - "b\0" - "diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors\n" - "index 6760c95..1e1a6a3 100644\n" - "--- a/policy/flask/access_vectors\n" - "+++ b/policy/flask/access_vectors\n" - "@@ -816,3 +816,17 @@ inherits x_device\n" - " \n" - " class x_keyboard\n" - " inherits x_device\n" - "+\n" - "+class kv_item\n" - "+{\n" - "+\tcreate\n" - "+\tgetattr\n" - "+\tsetattr\n" - "+\tremove\n" - "+\trelabelfrom\n" - "+\trelabelto\n" - "+\tread\n" - "+\twrite\n" - "+\tappend\n" - "+\tcalculate\n" - "+}\n" - "diff --git a/policy/flask/security_classes b/policy/flask/security_classes\n" - "index fa65db2..9ace105 100644\n" - "--- a/policy/flask/security_classes\n" - "+++ b/policy/flask/security_classes\n" - "@@ -125,4 +125,7 @@ class tun_socket\n" - " class x_pointer\t\t\t# userspace\n" - " class x_keyboard\t\t# userspace\n" - " \n" - "+# key-value-store, such as memcached\n" - "+class kv_item\t\t\t# userspace\n" - "+\n" - " # FLASK\n" - "diff --git a/policy/mcs b/policy/mcs\n" - "index af90ef2..bcc0c54 100644\n" - "--- a/policy/mcs\n" - "+++ b/policy/mcs\n" - "@@ -132,4 +132,13 @@ mlsconstrain db_procedure { drop getattr setattr execute install }\n" - " mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }\n" - " \t( h1 dom h2 );\n" - " \n" - "+#\n" - "+# MCS policy for key-value items with SELinux support\n" - "+#\n" - "+mlsconstrain kv_item { create relabelto }\n" - "+\t(( h1 dom h2 ) and ( l2 eq h2 ));\n" - "+\n" - "+mlsconstrain kv_item { getattr setattr remove read write append calculate }\n" - "+\t( h1 dom h2 );\n" - "+\n" - " ') dnl end enable_mcs\n" - "diff --git a/policy/mls b/policy/mls\n" - "index b9f0a3e..75a5b98 100644\n" - "--- a/policy/mls\n" - "+++ b/policy/mls\n" - "@@ -827,4 +827,42 @@ mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob\n" - " \t (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or\n" - " \t (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 ))));\n" - " \n" - "+#\n" - "+# MLS policy for key-value store\n" - "+#\n" - "+\n" - "+# make sure kv_item has single level\n" - "+mlsconstrain { kv_item } { create relabelto }\n" - "+\t( l2 eq h2 );\n" - "+\n" - "+# new label must be dominated by the subjects clearance\n" - "+mlsconstrain { kv_item } { relabelto }\n" - "+\t( h1 dom h2 );\n" - "+\n" - "+# the key-value item \"read\" operations\n" - "+mlsconstrain { kv_item } { getattr read }\n" - "+\t(( l1 dom l2 ) or\n" - "+\t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - "+\t ( t1 == mlsdbread ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - "+# the key-value item \"write\" operations\n" - "+mlsconstrain { kv_item } { create remove setattr write append calculate }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or\n" - "+\t ( t1 == mlsdbwrite ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - "+# the key-value item upgrade/downgrade rule\n" - "+mlsvalidatetrans { kv_item }\n" - "+\t((( l1 eq l2 ) or\n" - "+\t (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or\n" - "+\t (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or\n" - "+\t (( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and\n" - "+\t (( l1 eq h2 ) or\n" - "+\t (( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or\n" - "+\t (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or\n" - "+\t (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 ))));\n" - "+\n" - " ') dnl end enable_mls\n" - "diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te\n" - "index 30754e4..c447f70 100644\n" - "--- a/policy/modules/roles/staff.te\n" - "+++ b/policy/modules/roles/staff.te\n" - "@@ -79,6 +79,10 @@ optional_policy(`\n" - " ')\n" - " \n" - " optional_policy(`\n" - "+\tmemcached_role(staff_r, staff_t)\n" - "+')\n" - "+\n" - "+optional_policy(`\n" - " \tmozilla_role(staff_r, staff_t)\n" - " ')\n" - " \n" - "diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te\n" - "index d5d5042..f737a33 100644\n" - "--- a/policy/modules/roles/unprivuser.te\n" - "+++ b/policy/modules/roles/unprivuser.te\n" - "@@ -73,6 +73,10 @@ optional_policy(`\n" - " ')\n" - " \n" - " optional_policy(`\n" - "+\tmemcached_role(user_r, user_t)\n" - "+')\n" - "+\n" - "+optional_policy(`\n" - " \tmozilla_role(user_r, user_t)\n" - " ')\n" - " \n" - "diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if\n" - "index 57feb5a..9fe608d 100644\n" - "--- a/policy/modules/services/apache.if\n" - "+++ b/policy/modules/services/apache.if\n" - "@@ -175,6 +175,14 @@ template(`apache_content_template',`\n" - " \t')\n" - " \n" - " \toptional_policy(`\n" - "+\t\tmemcached_unpriv_client(httpd_$1_script_t)\n" - "+\n" - "+\t\ttunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`\n" - "+\t\t\tmemcached_tcp_connect(httpd_$1_script_t)\n" - "+\t\t')\n" - "+\t')\n" - "+\n" - "+\toptional_policy(`\n" - " \t\ttunable_policy(`httpd_enable_cgi && allow_ypbind',`\n" - " \t\t\tnis_use_ypbind_uncond(httpd_$1_script_t)\n" - " \t\t')\n" - "diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te\n" - "index e33b9cd..da1b513 100644\n" - "--- a/policy/modules/services/apache.te\n" - "+++ b/policy/modules/services/apache.te\n" - "@@ -570,6 +570,16 @@ optional_policy(`\n" - " ')\n" - " \n" - " optional_policy(`\n" - "+\t# Allow httpd to work with memcached\n" - "+\tmemcached_stream_connect(httpd_t)\n" - "+\tmemcached_unpriv_client(httpd_t)\n" - "+\n" - "+\ttunable_policy(`httpd_can_network_connect_db',`\n" - "+\t\tmemcached_tcp_connect(httpd_t)\n" - "+\t')\n" - "+')\n" - "+\n" - "+optional_policy(`\n" - " \topenca_domtrans(httpd_t)\n" - " \topenca_signal(httpd_t)\n" - " \topenca_sigstop(httpd_t)\n" - "diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if\n" - "index db4fd6f..9f2e07b 100644\n" - "--- a/policy/modules/services/memcached.if\n" - "+++ b/policy/modules/services/memcached.if\n" - "@@ -71,3 +71,148 @@ interface(`memcached_admin',`\n" - " \n" - " \tadmin_pattern($1, memcached_var_run_t)\n" - " ')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - "+##\tMarks as a memcached key/value item type\n" - "+## </summary>\n" - "+## <param name=\"type\">\n" - "+##\t<summary>\n" - "+##\tType marked as a memcached key/value item type.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`memcached_item_object',`\n" - "+\tgen_require(`\n" - "+\t\tattribute memcached_item_type;\n" - "+\t')\n" - "+\n" - "+\ttypeattribute $1 memcached_item_type;\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - "+##\tAllow the specified domain to connect to memcached with a tcp socket.\n" - "+## </summary>\n" - "+## <param name=\"domain\">\n" - "+##\t<summary>\n" - "+##\tDomain allowed access.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`memcached_tcp_connect',`\n" - "+\tgen_require(`\n" - "+\t\ttype memcached_t;\n" - "+\t')\n" - "+\n" - "+\tcorenet_tcp_recvfrom_labeled($1, memcached_t)\n" - "+\tcorenet_tcp_sendrecv_memcache_port($1)\n" - "+\tcorenet_tcp_connect_memcache_port($1)\n" - "+\tcorenet_sendrecv_memcache_client_packets($1)\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - "+##\tAllow the specified domain to connect to memcached with a unix socket.\n" - "+## </summary>\n" - "+## <param name=\"domain\">\n" - "+##\t<summary>\n" - "+##\tDomain allowed access.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+## <rolecap/>\n" - "+#\n" - "+interface(`memcached_stream_connect',`\n" - "+\tgen_require(`\n" - "+\t\ttype memcached_t;\n" - "+\t\ttype memcached_var_run_t;\n" - "+\t')\n" - "+\n" - "+\tfiles_search_pids($1)\n" - "+\tallow $1 memcached_t:unix_stream_socket connectto;\n" - "+\t# we recommend to put the sock file in /var/run/memcached\n" - "+\trw_sock_files_pattern($1, memcached_var_run_t, memcached_var_run_t)\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - "+##\tAllow the specified domain unconfined accesses to any memcached items.\n" - "+## </summary>\n" - "+## <param name=\"domain\">\n" - "+##\t<summary>\n" - "+##\tDomain allowed access.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`memcached_unconfined',`\n" - "+\tgen_require(`\n" - "+\t\tattribute memcached_unconfined_type;\n" - "+\t')\n" - "+\ttypeattribute $1 memcached_unconfined_type;\n" - "+')\n" - "+\n" - "+#######################################\n" - "+## <summary>\n" - "+##\tRole access to memcached with SELinux suport\n" - "+## </summary>\n" - "+## <param name=\"user_role\">\n" - "+##\t<summary>\n" - "+##\tThe role associated with the user domain.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+## <param name=\"user_domain\">\n" - "+##\t<summary>\n" - "+##\tThe type of the user domain.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`memcached_role',`\n" - "+\tgen_require(`\n" - "+\t\tclass kv_item all_kv_item_perms;\n" - "+\n" - "+\t\tattribute memcached_client_type;\n" - "+\t\ttype memcached_t;\n" - "+\t\ttype user_memcached_item_t;\n" - "+\t')\n" - "+\n" - "+\t########################################\n" - "+\t#\n" - "+\t# Client local policy\n" - "+\t#\n" - "+\ttypeattribute $2 memcached_client_type;\n" - "+\n" - "+\ttype_transition $2 memcached_t:kv_item user_memcached_item_t;\n" - "+\n" - "+\tallow $2 user_memcached_item_t:kv_item { create getattr setattr remove read write append calculate };\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - "+##\tAllow the specified domain unprivileged accesses to unifined key-value\n" - "+##\titems managed by memcached with SELinux support.\n" - "+## </summary>\n" - "+## <param name=\"domain\">\n" - "+##\t<summary>\n" - "+##\tDomain allowed access.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`memcached_unpriv_client',`\n" - "+ gen_require(`\n" - "+\t\tclass kv_item all_kv_item_perms;\n" - "+\n" - "+\t\tattribute memcached_client_type;\n" - "+\t\ttype memcached_t;\n" - "+\t\ttype unpriv_memcached_item_t;\n" - "+\t')\n" - "+\n" - "+\t########################################\n" - "+\t#\n" - "+\t# Client local policy\n" - "+\t#\n" - "+\ttypeattribute $1 memcached_client_type;\n" - "+\n" - "+\ttype_transition $1 memcached_t:kv_item unpriv_memcached_item_t;\n" - "+\n" - "+\tallow $1 unpriv_memcached_item_t:kv_item { create getattr setattr remove read write calculate };\n" - "+')\n" - "diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te\n" - "index b681608..854d904 100644\n" - "--- a/policy/modules/services/memcached.te\n" - "+++ b/policy/modules/services/memcached.te\n" - "@@ -15,6 +15,33 @@ init_script_file(memcached_initrc_exec_t)\n" - " type memcached_var_run_t;\n" - " files_pid_file(memcached_var_run_t)\n" - " \n" - "+type memcached_db_t;\n" - "+files_type(memcached_db_t)\n" - "+\n" - "+# memcached clients\n" - "+attribute memcached_client_type;\n" - "+attribute memcached_unconfined_type;\n" - "+\n" - "+# memcached key/value items\n" - "+attribute memcached_item_type;\n" - "+\n" - "+type memcached_item_t;\n" - "+memcached_item_object(memcached_item_t)\n" - "+\n" - "+type memcached_ro_item_t;\n" - "+memcached_item_object(memcached_ro_item_t)\n" - "+\n" - "+type memcached_secret_item_t;\n" - "+memcached_item_object(memcached_secret_item_t)\n" - "+\n" - "+type user_memcached_item_t;\n" - "+typealias user_memcached_item_t alias { staff_memcached_item_t sysadm_memcached_item_t };\n" - "+typealias user_memcached_item_t alias { auditadm_memcached_item_t secadm_memcached_item_t };\n" - "+memcached_item_object(user_memcached_item_t)\n" - "+\n" - "+type unpriv_memcached_item_t;\n" - "+memcached_item_object(unpriv_memcached_item_t)\n" - "+\n" - " ########################################\n" - " #\n" - " # memcached local policy\n" - "@@ -27,6 +54,7 @@ allow memcached_t self:tcp_socket create_stream_socket_perms;\n" - " allow memcached_t self:udp_socket { create_socket_perms listen };\n" - " allow memcached_t self:fifo_file rw_fifo_file_perms;\n" - " allow memcached_t self:unix_stream_socket create_stream_socket_perms;\n" - "+allow memcached_t self:netlink_selinux_socket create_socket_perms;\n" - " \n" - " corenet_all_recvfrom_unlabeled(memcached_t)\n" - " corenet_udp_sendrecv_generic_if(memcached_t)\n" - "@@ -42,17 +70,41 @@ corenet_udp_bind_memcache_port(memcached_t)\n" - " \n" - " manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)\n" - " manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)\n" - "+manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)\n" - " files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })\n" - " \n" - "+manage_files_pattern(memcached_t, memcached_db_t, memcached_db_t)\n" - "+\n" - " kernel_read_kernel_sysctls(memcached_t)\n" - " kernel_read_system_state(memcached_t)\n" - " \n" - " files_read_etc_files(memcached_t)\n" - " \n" - "+selinux_get_enforce_mode(memcached_t)\n" - "+selinux_validate_context(memcached_t)\n" - "+selinux_compute_access_vector(memcached_t)\n" - "+selinux_compute_create_context(memcached_t)\n" - "+selinux_compute_relabel_context(memcached_t)\n" - "+\n" - " term_dontaudit_use_all_ptys(memcached_t)\n" - " term_dontaudit_use_all_ttys(memcached_t)\n" - " term_dontaudit_use_console(memcached_t)\n" - " \n" - " auth_use_nsswitch(memcached_t)\n" - " \n" - "+logging_send_audit_msgs(memcached_t)\n" - "+\n" - " miscfiles_read_localization(memcached_t)\n" - "+\n" - "+########################################\n" - "+#\n" - "+# Rules to managed items by memcached with SELinux support\n" - "+#\n" - "+gen_require(`\n" - "+\tclass kv_item all_kv_item_perms;\n" - "+')\n" - "+\n" - "+allow memcached_client_type memcached_item_t:kv_item { getattr setattr read write append calculate };\n" - "+allow memcached_client_type memcached_ro_item_t:kv_item { getattr read };\n" - "+type_transition memcached_unconfined_type memcached_t:kv_item memcached_item_t;\n" - "+allow memcached_unconfined_type memcached_item_type:kv_item *;\n" - "diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if\n" - "index c11cb30..85645fc 100644\n" - "--- a/policy/modules/system/unconfined.if\n" - "+++ b/policy/modules/system/unconfined.if\n" - "@@ -77,6 +77,10 @@ interface(`unconfined_domain_noaudit',`\n" - " \t')\n" - " \n" - " \toptional_policy(`\n" - "+\t\tmemcached_unconfined($1)\n" - "+\t')\n" - "+\n" - "+\toptional_policy(`\n" - " \t\tnscd_unconfined($1)\n" - " \t')\n" - " \n" - "diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if\n" - "index fafdd3d..525f3b0 100644\n" - "--- a/policy/modules/system/userdomain.if\n" - "+++ b/policy/modules/system/userdomain.if\n" - "@@ -626,6 +626,11 @@ template(`userdom_common_user_template',`\n" - " \t\tlocate_read_lib_files($1_t)\n" - " \t')\n" - " \n" - "+\toptional_policy(`\n" - "+\t\tmemcached_stream_connect($1_t)\n" - "+\t\tmemcached_tcp_connect($1_t)\n" - "+\t')\n" - "+\n" - " \t# for running depmod as part of the kernel packaging process\n" - " \toptional_policy(`\n" - " \t\tmodutils_read_module_config($1_t)\n" - "@@ -1159,6 +1164,10 @@ template(`userdom_admin_user_template',`\n" - " \t')\n" - " \n" - " \toptional_policy(`\n" - "+\t\tmemcached_unconfined($1_t)\n" - "+\t')\n" - "+\n" - "+\toptional_policy(`\n" - " \t\tpostgresql_unconfined($1_t)\n" - " \t')" + "KaiGai Kohei <kaigai@ak.jp.nec.com>\n" + "-------------- next part --------------\n" + "A non-text attachment was scrubbed...\n" + "Name: refpolicy-memcached.1.patch\n" + "Type: text/x-patch\n" + "Size: 12660 bytes\n" + "Desc: not available\n" + Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100730/2c5c8356/attachment.bin -aed4de2c6676678d592261d0469481851936ad30f9064ae12c427a97d2e5d321 +4be9cfcb458395ac0ec0ab06657f606d0c6e9038970d1abec2555bd033da396b
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.