Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 21446 Details for
Bug 34669
policy file for daemontools
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
type enforcement file
svc.te (text/plain), 5.02 KB, created by
petre rodan (RETIRED)
on 2003-11-28 23:24:57 UTC
(
hide
)
Description:
type enforcement file
Filename:
MIME Type:
Creator:
petre rodan (RETIRED)
Created:
2003-11-28 23:24:57 UTC
Size:
5.02 KB
patch
obsolete
># $Id: svc.te,v 1.7 2003/11/28 15:11:55 peter Exp $ ># ># author Petre Rodan <petre.rodan@ravantivirus.com> ># ># get the latest version of this file from ># http://team.rav.ro/peter/policy.tar.gz ># > ># ># selinux policy for daemontools ># http://cr.yp.to/daemontools.html ># ># thanks for D. J. Bernstein and the NSA team for the great software ># they provide ># ># ># svc_exec_t runs in the svc_t domain ># svc_multilog_t runs in multilog_t ># > >############################################################## ># type definitions > >type svc_exec_t, file_type, sysadmfile, exec_type; >type svc_run_t, file_type, sysadmfile, exec_type; >type svc_svc_t, file_type, sysadmfile; >type svc_lnk_t, file_type, sysadmfile; >type svc_down_t, file_type, sysadmfile; >type svc_control_t, file_type, sysadmfile; >type svc_ok_t, file_type, sysadmfile; >type svc_lock_t, file_type, sysadmfile; >type svc_status_t, file_type, sysadmfile; >type svc_logstatus_t, file_type, sysadmfile; > >type svc_env_t, file_type, sysadmfile; >type svc_log_t, file_type, sysadmfile; > >type svc_multilog_t, file_type, exec_type, sysadmfile; >type svc_tai64n_t, file_type, exec_type, sysadmfile; >type svc_tai64nlocal_t, file_type, exec_type, sysadmfile; >type svc_softlimit_t, file_type, exec_type, sysadmfile; >type svc_setuidgid_t, file_type, exec_type, sysadmfile; >type svc_envuidgid_t, file_type, exec_type, sysadmfile; >type svc_envdir_t, file_type, exec_type, sysadmfile; >type svc_setlock_t, file_type, exec_type, sysadmfile; > >############################################################## ># the svc domain > >type svc_t, domain; >role system_r types svc_t; >role sysadm_r types svc_t; > >allow { initrc_t sysadm_t } svc_exec_t :file { execute execute_no_trans read }; >allow { initrc_t sysadm_t } { svc_run_t svc_setuidgid_t svc_envuidgid_t svc_envdir_t svc_softlimit_t } :file { execute execute_no_trans read }; > >domain_auto_trans(initrc_t, svc_exec_t, svc_t); >uses_shlib(svc_t); > >allow svc_t self:capability { setgid fsetid setuid sys_time }; >allow svc_t self:fifo_file { read write getattr ioctl }; >allow svc_t self:tcp_socket { ioctl read write }; >allow svc_t self:dir { search }; >allow svc_t self:file { read }; >allow svc_t self:process { sigchld fork }; > > >allow svc_t { svc_envdir_t svc_setuidgid_t svc_envuidgid_t svc_softlimit_t }: file { execute execute_no_trans getattr read }; > >allow svc_t svc_control_t:fifo_file { read write }; >allow svc_t svc_env_t:dir { getattr read search }; >allow svc_t svc_env_t:file { read }; >allow svc_t svc_env_t:lnk_file { read }; >allow svc_t svc_exec_t:file { execute_no_trans }; >allow svc_t svc_lock_t:file { append lock }; >allow svc_t svc_lnk_t:lnk_file { read }; >allow svc_t svc_lnk_t:dir { getattr read search }; >allow svc_t svc_ok_t:fifo_file { read }; >allow svc_t svc_run_t:file { execute execute_no_trans getattr read }; >allow svc_t svc_svc_t:file { create getattr rename unlink write }; >allow svc_t svc_svc_t:dir { add_name read remove_name search getattr write }; > ># read /etc/nsswitch.conf >allow svc_t etc_t:file { getattr read }; > >allow svc_t { bin_t sbin_t }:dir { search }; >allow svc_t { bin_t sbin_t }:file { execute execute_no_trans getattr read }; >allow svc_t bin_t:lnk_file { read }; >allow svc_t console_device_t:chr_file { read write }; >allow svc_t devtty_t:chr_file { read write }; >allow svc_t etc_runtime_t:file { getattr read }; >allow svc_t init_t:fd { use }; >allow svc_t proc_t:dir { search }; >allow svc_t proc_t:file { getattr read }; >allow svc_t proc_t:lnk_file { read }; >allow svc_t shell_exec_t:file { execute_no_trans execute read }; >allow svc_t sysctl_kernel_t:dir { search }; >allow svc_t sysctl_kernel_t:file { read }; > >ifdef(`ssh.te', ` >domain_auto_trans(svc_t, sshd_exec_t, sshd_t) >') > >ifdef(`qmail.te', ` >allow svc_t qmail_start_exec_t:file { getattr read execute execute_no_trans }; >domain_auto_trans(svc_t, qmail_start_exec_t, qmail_start_t) > ># the starting script reads /var/qmail/defaultdelivery >allow svc_t etc_qmail_t:dir { search }; >allow svc_t etc_qmail_t:file { getattr read }; > >allow qmail_send_t svc_t:fd { use }; >allow qmail_send_t svc_t:fifo_file { write }; >allow qmail_send_t svc_t:process { sigchld }; >allow qmail_start_t svc_svc_t:dir { getattr search }; >') >############################################################## > > >############################################################## ># the logger > >type multilog_t, domain; > >role system_r types multilog_t; > >domain_auto_trans( { initrc_t svc_t } , svc_multilog_t, multilog_t); >uses_shlib(multilog_t); > >allow multilog_t init_t:fd { use }; >allow multilog_t svc_log_t:dir { add_name read search remove_name write }; >allow multilog_t svc_log_t:file { append create link lock getattr setattr unlink }; > >allow multilog_t var_log_t:dir { read search add_name getattr remove_name write }; >allow multilog_t var_log_t:file { append getattr lock setattr create link rename unlink }; > >allow multilog_t svc_svc_t:dir { read search }; >allow multilog_t console_device_t:chr_file { read write }; >allow multilog_t var_log_ksyms_t:file { append getattr setattr }; >allow multilog_t svc_logstatus_t:file { append write }; >############################################################## >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 34669
:
21445
|
21446
|
21653
|
21654
|
21922
|
22076
|
22078
|
23605