From: Daniel J Walsh <dwalsh_at_redhat.com>
Date: Mon, 07 May 2007 12:01:28 -0400

Christopher J. PeBenito wrote:

> On Fri, 2007-04-20 at 15:26 -0400, dwalsh@redhat.com wrote:
>   
>> --- nsaserefpolicy/policy/modules/services/apcupsd.fc	1969-12-31 19:00:00.000000000 -0500


>> +++ serefpolicy-2.5.12/policy/modules/services/apcupsd.fc	2007-04-11 17:07:34.000000000 -0400

>> @@ -0,0 +1,9 @@


>> +

>> +/usr/sbin/apcupsd		--	gen_context(system_u:object_r:apcupsd_exec_t,s0)

>> +/var/log/apcupsd\.events.*		--	gen_context(system_u:object_r:apcupsd_log_t,s0)

>> +/var/run/apcupsd\.pid		--	gen_context(system_u:object_r:apcupsd_var_run_t,s0)

>> +

>> +/var/www/apcupsd/multimon.cgi		--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)

>> +/var/www/apcupsd/upsfstats.cgi		--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)

>> +/var/www/apcupsd/upsimage.cgi		--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)

>> +/var/www/apcupsd/upsstats.cgi		--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)

>> --- nsaserefpolicy/policy/modules/services/apcupsd.if	1969-12-31 19:00:00.000000000 -0500


>> +++ serefpolicy-2.5.12/policy/modules/services/apcupsd.if	2007-04-11 17:07:34.000000000 -0400

>> @@ -0,0 +1,108 @@

>> +
>> +## <summary>policy for apcupsd</summary>
>> +
>> +########################################
>> +## <summary>
>> +## Execute a domain transition to run apcupsd.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed to transition.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`apcupsd_domtrans',`
>> + gen_require(`
>> + type apcupsd_t, apcupsd_exec_t;
>> + ')
>> +
>> + domain_auto_trans($1,apcupsd_exec_t,apcupsd_t)
>> +
>> + allow apcupsd_t $1:fd use;
>> + allow apcupsd_t $1:fifo_file rw_file_perms;
>> + allow apcupsd_t $1:process sigchld;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Read apcupsd PID files.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`apcupsd_read_pid_files',`
>> + gen_require(`
>> + type apcupsd_var_run_t;
>> + ')
>> +
>> + files_search_pids($1)
>> + allow $1 apcupsd_var_run_t:file r_file_perms;
>> +')
>> +
>> +
>> +########################################
>> +## <summary>
>> +## Allow the specified domain to read apcupsd's log files.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`apcupsd_read_log',`
>> + gen_require(`
>> + type apcupsd_log_t;
>> + ')
>> +
>> + logging_search_logs($1)
>> + allow $1 apcupsd_log_t:dir r_dir_perms;
>> + allow $1 apcupsd_log_t:file { read getattr lock };
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Allow the specified domain to append
>> +## apcupsd log files.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed to transition.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`apcupsd_append_log',`
>> + gen_require(`
>> + type var_log_t, apcupsd_log_t;
>> + ')
>> +
>> + logging_search_logs($1)
>> + allow $1 apcupsd_log_t:dir r_dir_perms;
>> + allow $1 apcupsd_log_t:file { getattr append };
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Execute a domain transition to run httpd_apcupsd_cgi_script.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed to transition.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`httpd_apcupsd_cgi_script_domtrans',`
>> + gen_require(`
>> + type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
>> + ')
>> +
>> + domain_auto_trans($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t)
>> +
>> + allow httpd_apcupsd_cgi_script_t $1:fd use;
>> + allow httpd_apcupsd_cgi_script_t $1:fifo_file rw_file_perms;
>> + allow httpd_apcupsd_cgi_script_t $1:process sigchld;
>> +')

>> --- nsaserefpolicy/policy/modules/services/apcupsd.te	1969-12-31 19:00:00.000000000 -0500


>> +++ serefpolicy-2.5.12/policy/modules/services/apcupsd.te	2007-04-12 15:16:19.000000000 -0400

>> @@ -0,0 +1,91 @@

>> +policy_module(apcupsd,1.0.0)
>> +
>> +########################################
>> +#
>> +# Declarations
>> +#
>> +
>> +type apcupsd_t;
>> +type apcupsd_exec_t;
>> +domain_type(apcupsd_t)
>> +init_daemon_domain(apcupsd_t, apcupsd_exec_t)
>> +
>> +type apcupsd_lock_t;
>> +files_lock_file(apcupsd_lock_t)
>> +
>> +type apcupsd_log_t;
>> +logging_log_file(apcupsd_log_t)
>> +
>> +type apcupsd_var_run_t;
>> +files_pid_file(apcupsd_var_run_t)
>> +
>> +########################################
>> +#
>> +# apcupsd local policy
>> +#
>> +
>> +# Init script handling
>> +init_use_fds(apcupsd_t)
>> +init_use_script_ptys(apcupsd_t)
>> +domain_use_interactive_fds(apcupsd_t)
>> +
>> +allow apcupsd_t self:fifo_file rw_file_perms;
>> +allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
>> +allow apcupsd_t self:tcp_socket create_stream_socket_perms;
>> +
>> +corenet_tcp_bind_apcupsd_port(apcupsd_t)
>> +corenet_tcp_bind_all_nodes(apcupsd_t)
>> +corenet_tcp_sendrecv_generic_if(apcupsd_t)
>> +corenet_tcp_sendrecv_all_nodes(apcupsd_t)
>> +corenet_tcp_sendrecv_all_ports(apcupsd_t)
>> +
>> +dev_rw_generic_usb_dev(apcupsd_t)
>> +
>> +files_read_etc_files(apcupsd_t)
>> +files_search_locks(apcupsd_t)
>> +
>> +libs_use_ld_so(apcupsd_t)
>> +libs_use_shared_libs(apcupsd_t)
>> +
>> +miscfiles_read_localization(apcupsd_t)
>> +
>> +ifdef(`targeted_policy',`
>> + term_dontaudit_use_unallocated_ttys(apcupsd_t)
>> + term_dontaudit_use_generic_ptys(apcupsd_t)
>> +')
>> +
>> +allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
>> +files_lock_filetrans(apcupsd_t,apcupsd_lock_t,file)
>> +
>> +allow apcupsd_t apcupsd_log_t:file manage_file_perms;
>> +allow apcupsd_t apcupsd_log_t:dir { rw_dir_perms setattr };
>> +logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
>> +
>> +allow apcupsd_t apcupsd_var_run_t:file manage_file_perms;
>> +allow apcupsd_t apcupsd_var_run_t:dir rw_dir_perms;
>> +files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
>> +
>> +logging_send_syslog_msg(apcupsd_t)
>> +
>> +########################################
>> +#
>> +# apcupsd_cgi Declarations
>> +#
>> +
>> +apache_content_template(apcupsd_cgi)
>> +
>> +# Default Networking
>> +sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
>> +corenet_non_ipsec_sendrecv(httpd_apcupsd_cgi_script_t)
>> +
>> +allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
>> +corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
>> +corenet_tcp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
>> +corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
>> +corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
>> +
>> +allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
>> +corenet_udp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
>> +corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
>> +corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
>> +

>>     
>
> Merged, except for the cgi part.  Also some reordering.  The apcupsd
> port definition was missing so I commented out the relevant lines for
> now.
>
>   

Added the network defs.
apcupsd signals itself also.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



text/x-patch attachment: apcupsd.patch

Received on Mon 7 May 2007 - 12:01:47 EDT