1 |
blueness 11/02/05 20:41:05 |
2 |
|
3 |
Added: add-gorg.patch |
4 |
Log: |
5 |
Bulk addition of new selinux policies. |
6 |
|
7 |
(Portage version: 2.1.9.25/cvs/Linux x86_64) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 sec-policy/selinux-gorg/files/add-gorg.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-gorg/files/add-gorg.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-gorg/files/add-gorg.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: add-gorg.patch |
16 |
=================================================================== |
17 |
--- services/gorg.te 1970-01-01 01:00:00.000000000 +0100 |
18 |
+++ ../../../refpolicy/policy/modules/services/gorg.te 2011-01-07 22:35:18.986000107 +0100 |
19 |
@@ -0,0 +1,59 @@ |
20 |
+policy_module(gorg, 1.0.0) |
21 |
+ |
22 |
+type gorg_t; |
23 |
+type gorg_exec_t; |
24 |
+typealias gorg_t alias { staff_gorg_t user_gorg_t }; |
25 |
+application_domain(gorg_t, gorg_exec_t) |
26 |
+role staff_r types gorg_t; |
27 |
+role user_r types gorg_t; |
28 |
+ |
29 |
+type gorg_cache_t; |
30 |
+files_type(gorg_cache_t); |
31 |
+ |
32 |
+type gorg_config_t; |
33 |
+files_type(gorg_config_t); |
34 |
+ |
35 |
+# Allow gorg_t to put files in the gorg_cache_t location(s) |
36 |
+manage_dirs_pattern(gorg_t, gorg_cache_t, gorg_cache_t) |
37 |
+manage_files_pattern(gorg_t, gorg_cache_t, gorg_cache_t) |
38 |
+ |
39 |
+# Allow gorg_t to read configuration file(s) |
40 |
+allow gorg_t gorg_config_t:dir list_dir_perms; |
41 |
+read_files_pattern(gorg_t, gorg_config_t, gorg_config_t) |
42 |
+ |
43 |
+# gorg logs through /dev/log |
44 |
+logging_send_syslog_msg(gorg_t) |
45 |
+ |
46 |
+# Allow gorg to bind to port 8080 (http_cache_port_t) |
47 |
+sysnet_read_config(gorg_t) |
48 |
+sysnet_dns_name_resolve(gorg_t) |
49 |
+corenet_all_recvfrom_unlabeled(gorg_t) |
50 |
+corenet_all_recvfrom_netlabel(gorg_t) |
51 |
+corenet_tcp_sendrecv_generic_if(gorg_t) |
52 |
+corenet_tcp_sendrecv_generic_node(gorg_t) |
53 |
+#corenet_tcp_sendrecv_all_ports(gorg_t) |
54 |
+corenet_tcp_bind_generic_node(gorg_t) |
55 |
+corenet_tcp_bind_http_cache_port(gorg_t) |
56 |
+allow gorg_t self:netlink_route_socket { create_socket_perms nlmsg_read }; |
57 |
+allow gorg_t self:tcp_socket { listen accept }; |
58 |
+ |
59 |
+# Allow gorg read access to user home files (usually where cvs/git pull is stored) |
60 |
+files_search_home(gorg_t) |
61 |
+userdom_search_user_home_dirs(gorg_t) |
62 |
+userdom_user_home_content(gorg_t) |
63 |
+userdom_list_user_home_content(gorg_t) |
64 |
+userdom_read_user_home_content_symlinks(gorg_t) |
65 |
+userdom_read_user_home_content_files(gorg_t) |
66 |
+ |
67 |
+# Local policy |
68 |
+allow gorg_t self:fifo_file rw_fifo_file_perms; |
69 |
+ |
70 |
+# Read /etc files (xml/catalog, hosts.conf, ...) |
71 |
+files_read_etc_files(gorg_t) |
72 |
+ |
73 |
+# Gorg is ruby, so be able to execute ruby |
74 |
+corecmd_exec_bin(gorg_t) |
75 |
+ |
76 |
+# Output to screen |
77 |
+userdom_use_user_terminals(gorg_t) |
78 |
+domain_use_interactive_fds(gorg_t) |
79 |
--- services/gorg.fc 1970-01-01 01:00:00.000000000 +0100 |
80 |
+++ ../../../refpolicy/policy/modules/services/gorg.fc 2011-01-07 22:35:22.840999786 +0100 |
81 |
@@ -0,0 +1,3 @@ |
82 |
+/etc/gorg(/.*)? gen_context(system_u:object_r:gorg_config_t,s0) |
83 |
+/var/cache/gorg(/.*)? gen_context(system_u:object_r:gorg_cache_t,s0) |
84 |
+/usr/bin/gorg -- gen_context(system_u:object_r:gorg_exec_t,s0) |