Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: apcupsd policy
From: Daniel J Walsh <dwalsh_at_redhat.com>
Date: Mon, 07 May 2007 12:01:28 -0400
> On Fri, 2007-04-20 at 15:26 -0400, dwalsh@redhat.com wrote: > >> --- nsaserefpolicy/policy/modules/services/apcupsd.fc 1969-12-31 19:00:00.000000000 -0500 >> + >> +## <summary>policy for apcupsd</summary> >> + >> +######################################## >> +## <summary> >> +## Execute a domain transition to run apcupsd. >> +## </summary> >> +## <param name="domain"> >> +## <summary> >> +## Domain allowed to transition. >> +## </summary> >> +## </param> >> +# >> +interface(`apcupsd_domtrans',` >> + gen_require(` >> + type apcupsd_t, apcupsd_exec_t; >> + ') >> + >> + domain_auto_trans($1,apcupsd_exec_t,apcupsd_t) >> + >> + allow apcupsd_t $1:fd use; >> + allow apcupsd_t $1:fifo_file rw_file_perms; >> + allow apcupsd_t $1:process sigchld; >> +') >> + >> +######################################## >> +## <summary> >> +## Read apcupsd PID files. >> +## </summary> >> +## <param name="domain"> >> +## <summary> >> +## Domain allowed access. >> +## </summary> >> +## </param> >> +# >> +interface(`apcupsd_read_pid_files',` >> + gen_require(` >> + type apcupsd_var_run_t; >> + ') >> + >> + files_search_pids($1) >> + allow $1 apcupsd_var_run_t:file r_file_perms; >> +') >> + >> + >> +######################################## >> +## <summary> >> +## Allow the specified domain to read apcupsd's log files. >> +## </summary> >> +## <param name="domain"> >> +## <summary> >> +## Domain allowed access. >> +## </summary> >> +## </param> >> +## <rolecap/> >> +# >> +interface(`apcupsd_read_log',` >> + gen_require(` >> + type apcupsd_log_t; >> + ') >> + >> + logging_search_logs($1) >> + allow $1 apcupsd_log_t:dir r_dir_perms; >> + allow $1 apcupsd_log_t:file { read getattr lock }; >> +') >> + >> +######################################## >> +## <summary> >> +## Allow the specified domain to append >> +## apcupsd log files. >> +## </summary> >> +## <param name="domain"> >> +## <summary> >> +## Domain allowed to transition. >> +## </summary> >> +## </param> >> +# >> +interface(`apcupsd_append_log',` >> + gen_require(` >> + type var_log_t, apcupsd_log_t; >> + ') >> + >> + logging_search_logs($1) >> + allow $1 apcupsd_log_t:dir r_dir_perms; >> + allow $1 apcupsd_log_t:file { getattr append }; >> +') >> + >> +######################################## >> +## <summary> >> +## Execute a domain transition to run httpd_apcupsd_cgi_script. >> +## </summary> >> +## <param name="domain"> >> +## <summary> >> +## Domain allowed to transition. >> +## </summary> >> +## </param> >> +# >> +interface(`httpd_apcupsd_cgi_script_domtrans',` >> + gen_require(` >> + type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; >> + ') >> + >> + domain_auto_trans($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t) >> + >> + allow httpd_apcupsd_cgi_script_t $1:fd use; >> + allow httpd_apcupsd_cgi_script_t $1:fifo_file rw_file_perms; >> + allow httpd_apcupsd_cgi_script_t $1:process sigchld; >> +') >> --- nsaserefpolicy/policy/modules/services/apcupsd.te 1969-12-31 19:00:00.000000000 -0500 >> +policy_module(apcupsd,1.0.0) >> + >> +######################################## >> +# >> +# Declarations >> +# >> + >> +type apcupsd_t; >> +type apcupsd_exec_t; >> +domain_type(apcupsd_t) >> +init_daemon_domain(apcupsd_t, apcupsd_exec_t) >> + >> +type apcupsd_lock_t; >> +files_lock_file(apcupsd_lock_t) >> + >> +type apcupsd_log_t; >> +logging_log_file(apcupsd_log_t) >> + >> +type apcupsd_var_run_t; >> +files_pid_file(apcupsd_var_run_t) >> + >> +######################################## >> +# >> +# apcupsd local policy >> +# >> + >> +# Init script handling >> +init_use_fds(apcupsd_t) >> +init_use_script_ptys(apcupsd_t) >> +domain_use_interactive_fds(apcupsd_t) >> + >> +allow apcupsd_t self:fifo_file rw_file_perms; >> +allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; >> +allow apcupsd_t self:tcp_socket create_stream_socket_perms; >> + >> +corenet_tcp_bind_apcupsd_port(apcupsd_t) >> +corenet_tcp_bind_all_nodes(apcupsd_t) >> +corenet_tcp_sendrecv_generic_if(apcupsd_t) >> +corenet_tcp_sendrecv_all_nodes(apcupsd_t) >> +corenet_tcp_sendrecv_all_ports(apcupsd_t) >> + >> +dev_rw_generic_usb_dev(apcupsd_t) >> + >> +files_read_etc_files(apcupsd_t) >> +files_search_locks(apcupsd_t) >> + >> +libs_use_ld_so(apcupsd_t) >> +libs_use_shared_libs(apcupsd_t) >> + >> +miscfiles_read_localization(apcupsd_t) >> + >> +ifdef(`targeted_policy',` >> + term_dontaudit_use_unallocated_ttys(apcupsd_t) >> + term_dontaudit_use_generic_ptys(apcupsd_t) >> +') >> + >> +allow apcupsd_t apcupsd_lock_t:file manage_file_perms; >> +files_lock_filetrans(apcupsd_t,apcupsd_lock_t,file) >> + >> +allow apcupsd_t apcupsd_log_t:file manage_file_perms; >> +allow apcupsd_t apcupsd_log_t:dir { rw_dir_perms setattr }; >> +logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir }) >> + >> +allow apcupsd_t apcupsd_var_run_t:file manage_file_perms; >> +allow apcupsd_t apcupsd_var_run_t:dir rw_dir_perms; >> +files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file) >> + >> +logging_send_syslog_msg(apcupsd_t) >> + >> +######################################## >> +# >> +# apcupsd_cgi Declarations >> +# >> + >> +apache_content_template(apcupsd_cgi) >> + >> +# Default Networking >> +sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t) >> +corenet_non_ipsec_sendrecv(httpd_apcupsd_cgi_script_t) >> + >> +allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; >> +corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t) >> +corenet_tcp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t) >> +corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) >> +corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t) >> + >> +allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; >> +corenet_udp_sendrecv_all_if(httpd_apcupsd_cgi_script_t) >> +corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t) >> +corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) >> + >> > > Merged, except for the cgi part. Also some reordering. The apcupsd > port definition was missing so I commented out the relevant lines for > now. > >
Added the network defs.
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Mon 7 May 2007 - 12:01:47 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |