Attachment 23605 Details for Bug 34669 – type enforcement

type enforcement

daemontools.te (text/plain), 5.16 KB, created by petre rodan (RETIRED) on 2004-01-11 10:19:52 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: petre rodan (RETIRED)

Created: 2004-01-11 10:19:52 UTC

Size: 5.16 KB

patch

obsolete

>#DESC Daemontools - Tools for managing UNIX services
>#
># Author Petre Rodan <petre.rodan@ravantivirus.com>
># with the help of Chris PeBenito, Russell Coker and Tad Glines
># 
>
>#
># selinux policy for daemontools
># http://cr.yp.to/daemontools.html
>#
># thanks for D. J. Bernstein and the NSA team for the great software
># they provide
>#
>
>##############################################################
># type definitions
>
>type svc_conf_t, file_type, sysadmfile;
>type svc_log_t, file_type, sysadmfile;
>type svc_svc_t, file_type, sysadmfile;
>
>
>##############################################################
># the domains
>
>define(`svc_sub_domain', `
>daemon_sub_domain(svc_t, svc_$1)
>')
>
>define(`svc_filedir_domain', `
>create_dir_file($1, svc_svc_t)
>file_type_auto_trans($1, svc_svc_t, svc_svc_t);
>')
>
>define(`svc_confdir_domain', `
>r_dir_file($1, svc_conf_t)
>')
>
>daemon_base_domain(svc_script)
>svc_filedir_domain(svc_script_t)
>
># part started by initrc_t
>daemon_base_domain(svc_start)
>svc_filedir_domain(svc_start_t)
>
># also get here from svc_script_t
>domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)
>
># the domain for /service/*/run and /service/*/log/run
>daemon_sub_domain(svc_start_t, svc_run)
>svc_confdir_domain(svc_run_t)
>
># the logger
>daemon_sub_domain(svc_run_t, svc_multilog)
>file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file);
>
>######
># rules for all those domains
>
># svc_start_t
>allow svc_start_t self:fifo_file rw_file_perms;
>allow svc_start_t self:capability { kill };
>
>allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
>allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
>can_exec(svc_start_t, shell_exec_t)
>allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
>allow svc_start_t svc_run_t:process { signal };
>
># svc_run_t
>allow svc_run_t self:capability { setgid setuid chown fsetid };
>allow svc_run_t self:fifo_file rw_file_perms;
>allow svc_run_t self:file r_file_perms;
>allow svc_run_t self:process { fork };
>allow svc_run_t svc_svc_t:dir r_dir_perms;
>allow svc_run_t svc_svc_t:file r_file_perms;
>allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans };
>allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms;
>allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
>can_exec(svc_run_t, etc_t)
>can_exec(svc_run_t, lib_t)
>can_exec(svc_run_t, bin_t)
>can_exec(svc_run_t, sbin_t)
>can_exec(svc_run_t, ls_exec_t)
>can_exec(svc_run_t, shell_exec_t)
>allow svc_run_t devtty_t:chr_file rw_file_perms;
>allow svc_run_t etc_runtime_t:file r_file_perms;
>allow svc_run_t exec_type:{ file lnk_file } getattr;
>allow svc_run_t init_t:fd { use };
>allow svc_run_t initrc_t:fd { use };
>allow svc_run_t proc_t:file r_file_perms;
>allow svc_run_t sysctl_kernel_t:dir r_dir_perms;
>allow svc_run_t sysctl_kernel_t:file r_file_perms;
>allow svc_run_t var_lib_t:dir r_dir_perms;
>
>
># multilog creates /service/*/log/status
>allow svc_multilog_t svc_svc_t:dir { read search };
>allow svc_multilog_t svc_svc_t:file { append write };
># writes to /var/log/*/*
>allow svc_multilog_t var_log_t:dir create_dir_perms;
>allow svc_multilog_t var_log_t:file create_file_perms;
># misc
>allow svc_multilog_t init_t:fd { use };
>allow svc_start_t svc_multilog_t:process { signal };
>svc_ipc_domain(svc_multilog_t)
>
>
># run_init can control svc_script_t and svc_start_t domains
>domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t)
>domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t)
>allow initrc_t { svc_script_exec_t svc_start_exec_t }:file { entrypoint };
>svc_filedir_domain(initrc_t)
>
>allow svc_script_t self:capability { sys_admin };
>allow svc_script_t self:fifo_file { getattr read write };
>allow svc_script_t bin_t:dir r_dir_perms;
>allow svc_script_t bin_t:lnk_file r_file_perms;
>can_exec(svc_script_t, bin_t)
>can_exec(svc_script_t, shell_exec_t)
>allow svc_script_t proc_t:file r_file_perms;
>allow svc_script_t shell_exec_t:file rx_file_perms;
>allow svc_script_t devtty_t:chr_file rw_file_perms;
>allow svc_script_t etc_runtime_t:file r_file_perms;
>allow svc_script_t svc_run_exec_t:file r_file_perms;
>allow svc_script_t svc_script_exec_t:file { execute_no_trans };
># sleep
>allow svc_script_t sysctl_kernel_t:dir r_dir_perms;
>allow svc_script_t sysctl_kernel_t:file r_file_perms;
>allow svc_script_t var_t:dir r_dir_perms;
>
>
>################################################################
># scripts that can be started by daemontools
>
>ifdef(`ucspi-tcp.te', `
>domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t)
>allow svc_run_t utcpserver_t:process { signal };
>allow svc_start_t utcpserver_t:process { signal };
>svc_ipc_domain(utcpserver_t)
>')
>
>ifdef(`ssh.te', `
>domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
>svc_ipc_domain(sshd_t)
>')
>
>ifdef(`qmail.te', `
>allow svc_run_t qmail_start_exec_t:file rx_file_perms;
>domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t)
># r qmail configs from /var/qmail/control/*
>allow svc_run_t etc_qmail_t:dir r_dir_perms;
>allow svc_run_t etc_qmail_t:file r_file_perms;
>
>allow svc_start_t qmail_send_t:process { signal };
>svc_ipc_domain(qmail_send_t)
>svc_ipc_domain(qmail_start_t)
>svc_ipc_domain(qmail_queue_t)
>svc_ipc_domain(qmail_smtpd_t)
>')
>
>ifdef(`publicfile.te', `
>svc_ipc_domain(publicfile_t)
>')
>##############################################################
>
>

Actions: View

Attachments on bug 34669: 21445 | 21446 | 21653 | 21654 | 21922 | 22076 | 22078 | 23605