Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile (blueness)" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in sec-policy/selinux-gorg/files: add-gorg.patch
Date: Sat, 05 Feb 2011 20:42:27
Message-Id: 20110205204105.1D84A2006A@flycatcher.gentoo.org
1 blueness 11/02/05 20:41:05
2
3 Added: add-gorg.patch
4 Log:
5 Bulk addition of new selinux policies.
6
7 (Portage version: 2.1.9.25/cvs/Linux x86_64)
8
9 Revision Changes Path
10 1.1 sec-policy/selinux-gorg/files/add-gorg.patch
11
12 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-gorg/files/add-gorg.patch?rev=1.1&view=markup
13 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-gorg/files/add-gorg.patch?rev=1.1&content-type=text/plain
14
15 Index: add-gorg.patch
16 ===================================================================
17 --- services/gorg.te 1970-01-01 01:00:00.000000000 +0100
18 +++ ../../../refpolicy/policy/modules/services/gorg.te 2011-01-07 22:35:18.986000107 +0100
19 @@ -0,0 +1,59 @@
20 +policy_module(gorg, 1.0.0)
21 +
22 +type gorg_t;
23 +type gorg_exec_t;
24 +typealias gorg_t alias { staff_gorg_t user_gorg_t };
25 +application_domain(gorg_t, gorg_exec_t)
26 +role staff_r types gorg_t;
27 +role user_r types gorg_t;
28 +
29 +type gorg_cache_t;
30 +files_type(gorg_cache_t);
31 +
32 +type gorg_config_t;
33 +files_type(gorg_config_t);
34 +
35 +# Allow gorg_t to put files in the gorg_cache_t location(s)
36 +manage_dirs_pattern(gorg_t, gorg_cache_t, gorg_cache_t)
37 +manage_files_pattern(gorg_t, gorg_cache_t, gorg_cache_t)
38 +
39 +# Allow gorg_t to read configuration file(s)
40 +allow gorg_t gorg_config_t:dir list_dir_perms;
41 +read_files_pattern(gorg_t, gorg_config_t, gorg_config_t)
42 +
43 +# gorg logs through /dev/log
44 +logging_send_syslog_msg(gorg_t)
45 +
46 +# Allow gorg to bind to port 8080 (http_cache_port_t)
47 +sysnet_read_config(gorg_t)
48 +sysnet_dns_name_resolve(gorg_t)
49 +corenet_all_recvfrom_unlabeled(gorg_t)
50 +corenet_all_recvfrom_netlabel(gorg_t)
51 +corenet_tcp_sendrecv_generic_if(gorg_t)
52 +corenet_tcp_sendrecv_generic_node(gorg_t)
53 +#corenet_tcp_sendrecv_all_ports(gorg_t)
54 +corenet_tcp_bind_generic_node(gorg_t)
55 +corenet_tcp_bind_http_cache_port(gorg_t)
56 +allow gorg_t self:netlink_route_socket { create_socket_perms nlmsg_read };
57 +allow gorg_t self:tcp_socket { listen accept };
58 +
59 +# Allow gorg read access to user home files (usually where cvs/git pull is stored)
60 +files_search_home(gorg_t)
61 +userdom_search_user_home_dirs(gorg_t)
62 +userdom_user_home_content(gorg_t)
63 +userdom_list_user_home_content(gorg_t)
64 +userdom_read_user_home_content_symlinks(gorg_t)
65 +userdom_read_user_home_content_files(gorg_t)
66 +
67 +# Local policy
68 +allow gorg_t self:fifo_file rw_fifo_file_perms;
69 +
70 +# Read /etc files (xml/catalog, hosts.conf, ...)
71 +files_read_etc_files(gorg_t)
72 +
73 +# Gorg is ruby, so be able to execute ruby
74 +corecmd_exec_bin(gorg_t)
75 +
76 +# Output to screen
77 +userdom_use_user_terminals(gorg_t)
78 +domain_use_interactive_fds(gorg_t)
79 --- services/gorg.fc 1970-01-01 01:00:00.000000000 +0100
80 +++ ../../../refpolicy/policy/modules/services/gorg.fc 2011-01-07 22:35:22.840999786 +0100
81 @@ -0,0 +1,3 @@
82 +/etc/gorg(/.*)? gen_context(system_u:object_r:gorg_config_t,s0)
83 +/var/cache/gorg(/.*)? gen_context(system_u:object_r:gorg_cache_t,s0)
84 +/usr/bin/gorg -- gen_context(system_u:object_r:gorg_exec_t,s0)
Report Message
Find on MARC Find on Google Groups