Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 23605 Details for
Bug 34669
policy file for daemontools
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
type enforcement
daemontools.te (text/plain), 5.16 KB, created by
petre rodan (RETIRED)
on 2004-01-11 10:19:52 UTC
(
hide
)
Description:
type enforcement
Filename:
MIME Type:
Creator:
petre rodan (RETIRED)
Created:
2004-01-11 10:19:52 UTC
Size:
5.16 KB
patch
obsolete
>#DESC Daemontools - Tools for managing UNIX services ># ># Author Petre Rodan <petre.rodan@ravantivirus.com> ># with the help of Chris PeBenito, Russell Coker and Tad Glines ># > ># ># selinux policy for daemontools ># http://cr.yp.to/daemontools.html ># ># thanks for D. J. Bernstein and the NSA team for the great software ># they provide ># > >############################################################## ># type definitions > >type svc_conf_t, file_type, sysadmfile; >type svc_log_t, file_type, sysadmfile; >type svc_svc_t, file_type, sysadmfile; > > >############################################################## ># the domains > >define(`svc_sub_domain', ` >daemon_sub_domain(svc_t, svc_$1) >') > >define(`svc_filedir_domain', ` >create_dir_file($1, svc_svc_t) >file_type_auto_trans($1, svc_svc_t, svc_svc_t); >') > >define(`svc_confdir_domain', ` >r_dir_file($1, svc_conf_t) >') > >daemon_base_domain(svc_script) >svc_filedir_domain(svc_script_t) > ># part started by initrc_t >daemon_base_domain(svc_start) >svc_filedir_domain(svc_start_t) > ># also get here from svc_script_t >domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t) > ># the domain for /service/*/run and /service/*/log/run >daemon_sub_domain(svc_start_t, svc_run) >svc_confdir_domain(svc_run_t) > ># the logger >daemon_sub_domain(svc_run_t, svc_multilog) >file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file); > >###### ># rules for all those domains > ># svc_start_t >allow svc_start_t self:fifo_file rw_file_perms; >allow svc_start_t self:capability { kill }; > >allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms; >allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms; >can_exec(svc_start_t, shell_exec_t) >allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans }; >allow svc_start_t svc_run_t:process { signal }; > ># svc_run_t >allow svc_run_t self:capability { setgid setuid chown fsetid }; >allow svc_run_t self:fifo_file rw_file_perms; >allow svc_run_t self:file r_file_perms; >allow svc_run_t self:process { fork }; >allow svc_run_t svc_svc_t:dir r_dir_perms; >allow svc_run_t svc_svc_t:file r_file_perms; >allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans }; >allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms; >allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms; >can_exec(svc_run_t, etc_t) >can_exec(svc_run_t, lib_t) >can_exec(svc_run_t, bin_t) >can_exec(svc_run_t, sbin_t) >can_exec(svc_run_t, ls_exec_t) >can_exec(svc_run_t, shell_exec_t) >allow svc_run_t devtty_t:chr_file rw_file_perms; >allow svc_run_t etc_runtime_t:file r_file_perms; >allow svc_run_t exec_type:{ file lnk_file } getattr; >allow svc_run_t init_t:fd { use }; >allow svc_run_t initrc_t:fd { use }; >allow svc_run_t proc_t:file r_file_perms; >allow svc_run_t sysctl_kernel_t:dir r_dir_perms; >allow svc_run_t sysctl_kernel_t:file r_file_perms; >allow svc_run_t var_lib_t:dir r_dir_perms; > > ># multilog creates /service/*/log/status >allow svc_multilog_t svc_svc_t:dir { read search }; >allow svc_multilog_t svc_svc_t:file { append write }; ># writes to /var/log/*/* >allow svc_multilog_t var_log_t:dir create_dir_perms; >allow svc_multilog_t var_log_t:file create_file_perms; ># misc >allow svc_multilog_t init_t:fd { use }; >allow svc_start_t svc_multilog_t:process { signal }; >svc_ipc_domain(svc_multilog_t) > > ># run_init can control svc_script_t and svc_start_t domains >domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t) >domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t) >allow initrc_t { svc_script_exec_t svc_start_exec_t }:file { entrypoint }; >svc_filedir_domain(initrc_t) > >allow svc_script_t self:capability { sys_admin }; >allow svc_script_t self:fifo_file { getattr read write }; >allow svc_script_t bin_t:dir r_dir_perms; >allow svc_script_t bin_t:lnk_file r_file_perms; >can_exec(svc_script_t, bin_t) >can_exec(svc_script_t, shell_exec_t) >allow svc_script_t proc_t:file r_file_perms; >allow svc_script_t shell_exec_t:file rx_file_perms; >allow svc_script_t devtty_t:chr_file rw_file_perms; >allow svc_script_t etc_runtime_t:file r_file_perms; >allow svc_script_t svc_run_exec_t:file r_file_perms; >allow svc_script_t svc_script_exec_t:file { execute_no_trans }; ># sleep >allow svc_script_t sysctl_kernel_t:dir r_dir_perms; >allow svc_script_t sysctl_kernel_t:file r_file_perms; >allow svc_script_t var_t:dir r_dir_perms; > > >################################################################ ># scripts that can be started by daemontools > >ifdef(`ucspi-tcp.te', ` >domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t) >allow svc_run_t utcpserver_t:process { signal }; >allow svc_start_t utcpserver_t:process { signal }; >svc_ipc_domain(utcpserver_t) >') > >ifdef(`ssh.te', ` >domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t) >svc_ipc_domain(sshd_t) >') > >ifdef(`qmail.te', ` >allow svc_run_t qmail_start_exec_t:file rx_file_perms; >domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t) ># r qmail configs from /var/qmail/control/* >allow svc_run_t etc_qmail_t:dir r_dir_perms; >allow svc_run_t etc_qmail_t:file r_file_perms; > >allow svc_start_t qmail_send_t:process { signal }; >svc_ipc_domain(qmail_send_t) >svc_ipc_domain(qmail_start_t) >svc_ipc_domain(qmail_queue_t) >svc_ipc_domain(qmail_smtpd_t) >') > >ifdef(`publicfile.te', ` >svc_ipc_domain(publicfile_t) >') >############################################################## > >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 34669
:
21445
|
21446
|
21653
|
21654
|
21922
|
22076
|
22078
| 23605