Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: apcupsd policy
From: Christopher J. PeBenito <cpebenito_at_tresys.com>
Date: Mon, 07 May 2007 10:50:46 -0400
> --- nsaserefpolicy/policy/modules/services/apcupsd.fc 1969-12-31 19:00:00.000000000 -0500 > + > +## <summary>policy for apcupsd</summary> > + > +######################################## > +## <summary> > +## Execute a domain transition to run apcupsd. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed to transition. > +## </summary> > +## </param> > +# > +interface(`apcupsd_domtrans',` > + gen_require(` > + type apcupsd_t, apcupsd_exec_t; > + ') > + > + domain_auto_trans($1,apcupsd_exec_t,apcupsd_t) > + > + allow apcupsd_t $1:fd use; > + allow apcupsd_t $1:fifo_file rw_file_perms; > + allow apcupsd_t $1:process sigchld; > +') > + > +######################################## > +## <summary> > +## Read apcupsd PID files. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`apcupsd_read_pid_files',` > + gen_require(` > + type apcupsd_var_run_t; > + ') > + > + files_search_pids($1) > + allow $1 apcupsd_var_run_t:file r_file_perms; > +') > + > + > +######################################## > +## <summary> > +## Allow the specified domain to read apcupsd's log files. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +## <rolecap/> > +# > +interface(`apcupsd_read_log',` > + gen_require(` > + type apcupsd_log_t; > + ') > + > + logging_search_logs($1) > + allow $1 apcupsd_log_t:dir r_dir_perms; > + allow $1 apcupsd_log_t:file { read getattr lock }; > +') > + > +######################################## > +## <summary> > +## Allow the specified domain to append > +## apcupsd log files. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed to transition. > +## </summary> > +## </param> > +# > +interface(`apcupsd_append_log',` > + gen_require(` > + type var_log_t, apcupsd_log_t; > + ') > + > + logging_search_logs($1) > + allow $1 apcupsd_log_t:dir r_dir_perms; > + allow $1 apcupsd_log_t:file { getattr append }; > +') > + > +######################################## > +## <summary> > +## Execute a domain transition to run httpd_apcupsd_cgi_script. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed to transition. > +## </summary> > +## </param> > +# > +interface(`httpd_apcupsd_cgi_script_domtrans',` > + gen_require(` > + type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; > + ') > + > + domain_auto_trans($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t) > + > + allow httpd_apcupsd_cgi_script_t $1:fd use; > + allow httpd_apcupsd_cgi_script_t $1:fifo_file rw_file_perms; > + allow httpd_apcupsd_cgi_script_t $1:process sigchld; > +') > --- nsaserefpolicy/policy/modules/services/apcupsd.te 1969-12-31 19:00:00.000000000 -0500 > +policy_module(apcupsd,1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type apcupsd_t; > +type apcupsd_exec_t; > +domain_type(apcupsd_t) > +init_daemon_domain(apcupsd_t, apcupsd_exec_t) > + > +type apcupsd_lock_t; > +files_lock_file(apcupsd_lock_t) > + > +type apcupsd_log_t; > +logging_log_file(apcupsd_log_t) > + > +type apcupsd_var_run_t; > +files_pid_file(apcupsd_var_run_t) > + > +######################################## > +# > +# apcupsd local policy > +# > + > +# Init script handling > +init_use_fds(apcupsd_t) > +init_use_script_ptys(apcupsd_t) > +domain_use_interactive_fds(apcupsd_t) > + > +allow apcupsd_t self:fifo_file rw_file_perms; > +allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; > +allow apcupsd_t self:tcp_socket create_stream_socket_perms; > + > +corenet_tcp_bind_apcupsd_port(apcupsd_t) > +corenet_tcp_bind_all_nodes(apcupsd_t) > +corenet_tcp_sendrecv_generic_if(apcupsd_t) > +corenet_tcp_sendrecv_all_nodes(apcupsd_t) > +corenet_tcp_sendrecv_all_ports(apcupsd_t) > + > +dev_rw_generic_usb_dev(apcupsd_t) > + > +files_read_etc_files(apcupsd_t) > +files_search_locks(apcupsd_t) > + > +libs_use_ld_so(apcupsd_t) > +libs_use_shared_libs(apcupsd_t) > + > +miscfiles_read_localization(apcupsd_t) > + > +ifdef(`targeted_policy',` > + term_dontaudit_use_unallocated_ttys(apcupsd_t) > + term_dontaudit_use_generic_ptys(apcupsd_t) > +') > + > +allow apcupsd_t apcupsd_lock_t:file manage_file_perms; > +files_lock_filetrans(apcupsd_t,apcupsd_lock_t,file) > + > +allow apcupsd_t apcupsd_log_t:file manage_file_perms; > +allow apcupsd_t apcupsd_log_t:dir { rw_dir_perms setattr }; > +logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir }) > + > +allow apcupsd_t apcupsd_var_run_t:file manage_file_perms; > +allow apcupsd_t apcupsd_var_run_t:dir rw_dir_perms; > +files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file) > + > +logging_send_syslog_msg(apcupsd_t) > + > +######################################## > +# > +# apcupsd_cgi Declarations > +# > + > +apache_content_template(apcupsd_cgi) > + > +# Default Networking > +sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t) > +corenet_non_ipsec_sendrecv(httpd_apcupsd_cgi_script_t) > + > +allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; > +corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t) > +corenet_tcp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t) > +corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) > +corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t) > + > +allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; > +corenet_udp_sendrecv_all_if(httpd_apcupsd_cgi_script_t) > +corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t) > +corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) > + Merged, except for the cgi part. Also some reordering. The apcupsd port definition was missing so I commented out the relevant lines for now. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Mon 7 May 2007 - 10:51:19 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |