1 |
commit: 89638269fa556ca96e63141e6fe6eda88b0e74a1 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Sep 24 09:51:20 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Sep 27 17:15:33 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=89638269 |
7 |
|
8 |
Changes to the cobbler policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Left out some unsatisfied dependencies |
13 |
|
14 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
15 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
16 |
|
17 |
--- |
18 |
policy/modules/contrib/cobbler.fc | 34 +++++++++-- |
19 |
policy/modules/contrib/cobbler.if | 29 +++++---- |
20 |
policy/modules/contrib/cobbler.te | 125 +++++++++++++++++++++++++++++++------ |
21 |
policy/modules/contrib/rsync.if | 49 ++++++++++++++ |
22 |
policy/modules/contrib/rsync.te | 2 +- |
23 |
policy/modules/contrib/tftp.if | 83 ++++++++++++++++++++++++ |
24 |
policy/modules/contrib/tftp.te | 2 +- |
25 |
7 files changed, 286 insertions(+), 38 deletions(-) |
26 |
|
27 |
diff --git a/policy/modules/contrib/cobbler.fc b/policy/modules/contrib/cobbler.fc |
28 |
index 1cf6c4e..cbeda66 100644 |
29 |
--- a/policy/modules/contrib/cobbler.fc |
30 |
+++ b/policy/modules/contrib/cobbler.fc |
31 |
@@ -1,7 +1,31 @@ |
32 |
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) |
33 |
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) |
34 |
+/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0) |
35 |
|
36 |
-/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) |
37 |
+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0) |
38 |
|
39 |
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) |
40 |
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) |
41 |
+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0) |
42 |
+ |
43 |
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
44 |
+ |
45 |
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
46 |
+/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
47 |
+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
48 |
+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
49 |
+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
50 |
+/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
51 |
+/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
52 |
+/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
53 |
+/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
54 |
+/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
55 |
+ |
56 |
+/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0) |
57 |
+ |
58 |
+# This should removable when cobbler package installs /var/www/cobbler/rendered |
59 |
+/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0) |
60 |
+ |
61 |
+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
62 |
+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
63 |
+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
64 |
+/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
65 |
+/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
66 |
+/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
67 |
+/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) |
68 |
|
69 |
diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if |
70 |
index 116d60f..f304c68 100644 |
71 |
--- a/policy/modules/contrib/cobbler.if |
72 |
+++ b/policy/modules/contrib/cobbler.if |
73 |
@@ -143,8 +143,8 @@ interface(`cobbler_manage_lib_files',` |
74 |
|
75 |
######################################## |
76 |
## <summary> |
77 |
-## All of the rules required to administrate |
78 |
-## an cobblerd environment |
79 |
+## All of the rules required to |
80 |
+## administrate an cobblerd environment. |
81 |
## </summary> |
82 |
## <param name="domain"> |
83 |
## <summary> |
84 |
@@ -161,25 +161,30 @@ interface(`cobbler_manage_lib_files',` |
85 |
interface(`cobblerd_admin',` |
86 |
gen_require(` |
87 |
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; |
88 |
- type cobbler_etc_t, cobblerd_initrc_exec_t; |
89 |
+ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t; |
90 |
+ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t; |
91 |
') |
92 |
|
93 |
- allow $1 cobblerd_t:process { ptrace signal_perms getattr }; |
94 |
- read_files_pattern($1, cobblerd_t, cobblerd_t) |
95 |
+ allow $1 cobblerd_t:process { ptrace signal_perms }; |
96 |
+ ps_process_pattern($1, cobblerd_t) |
97 |
+ |
98 |
+ cobblerd_initrc_domtrans($1) |
99 |
+ domain_system_change_exemption($1) |
100 |
+ role_transition $2 cobblerd_initrc_exec_t system_r; |
101 |
+ allow $2 system_r; |
102 |
|
103 |
files_search_etc($1) |
104 |
admin_pattern($1, cobbler_etc_t) |
105 |
|
106 |
- files_list_var_lib($1) |
107 |
+ files_search_tmp($1) |
108 |
+ admin_pattern($1, cobbler_tmp_t) |
109 |
+ |
110 |
+ files_search_var_lib($1) |
111 |
admin_pattern($1, cobbler_var_lib_t) |
112 |
|
113 |
logging_search_logs($1) |
114 |
admin_pattern($1, cobbler_var_log_t) |
115 |
|
116 |
- admin_pattern($1, httpd_cobbler_content_rw_t) |
117 |
- |
118 |
- cobblerd_initrc_domtrans($1) |
119 |
- domain_system_change_exemption($1) |
120 |
- role_transition $2 cobblerd_initrc_exec_t system_r; |
121 |
- allow $2 system_r; |
122 |
+ apache_search_sys_content($1) |
123 |
+ admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) |
124 |
') |
125 |
|
126 |
diff --git a/policy/modules/contrib/cobbler.te b/policy/modules/contrib/cobbler.te |
127 |
index 0258b48..948cbcc 100644 |
128 |
--- a/policy/modules/contrib/cobbler.te |
129 |
+++ b/policy/modules/contrib/cobbler.te |
130 |
@@ -2,17 +2,43 @@ policy_module(cobbler, 1.1.0) |
131 |
|
132 |
######################################## |
133 |
# |
134 |
-# Cobbler personal declarations. |
135 |
+# Declarations |
136 |
# |
137 |
|
138 |
+ |
139 |
## <desc> |
140 |
-## <p> |
141 |
-## Allow Cobbler to modify public files |
142 |
-## used for public file transfer services. |
143 |
-## </p> |
144 |
+## <p> |
145 |
+## Determine whether Cobbler can modify |
146 |
+## public files used for public file |
147 |
+## transfer services. |
148 |
+## </p> |
149 |
## </desc> |
150 |
gen_tunable(cobbler_anon_write, false) |
151 |
|
152 |
+## <desc> |
153 |
+## <p> |
154 |
+## Determine whether Cobbler can connect |
155 |
+## to the network using TCP. |
156 |
+## </p> |
157 |
+## </desc> |
158 |
+gen_tunable(cobbler_can_network_connect, false) |
159 |
+ |
160 |
+## <desc> |
161 |
+## <p> |
162 |
+## Determine whether Cobbler can access |
163 |
+## cifs file systems. |
164 |
+## </p> |
165 |
+## </desc> |
166 |
+gen_tunable(cobbler_use_cifs, false) |
167 |
+ |
168 |
+## <desc> |
169 |
+## <p> |
170 |
+## Determine whether Cobbler can access |
171 |
+## nfs file systems. |
172 |
+## </p> |
173 |
+## </desc> |
174 |
+gen_tunable(cobbler_use_nfs, false) |
175 |
+ |
176 |
type cobblerd_t; |
177 |
type cobblerd_exec_t; |
178 |
init_daemon_domain(cobblerd_t, cobblerd_exec_t) |
179 |
@@ -26,25 +52,38 @@ files_config_file(cobbler_etc_t) |
180 |
type cobbler_var_log_t; |
181 |
logging_log_file(cobbler_var_log_t) |
182 |
|
183 |
-type cobbler_var_lib_t; |
184 |
+type cobbler_var_lib_t alias cobbler_content_t; |
185 |
files_type(cobbler_var_lib_t) |
186 |
|
187 |
+type cobbler_tmp_t; |
188 |
+files_tmp_file(cobbler_tmp_t) |
189 |
+ |
190 |
+apache_content_template(cobbler) |
191 |
+ |
192 |
######################################## |
193 |
# |
194 |
-# Cobbler personal policy. |
195 |
+# Local policy |
196 |
# |
197 |
|
198 |
-allow cobblerd_t self:capability { chown dac_override fowner sys_nice }; |
199 |
+allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice }; |
200 |
+dontaudit cobblerd_t self:capability sys_tty_config; |
201 |
allow cobblerd_t self:process { getsched setsched signal }; |
202 |
allow cobblerd_t self:fifo_file rw_fifo_file_perms; |
203 |
+allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms; |
204 |
allow cobblerd_t self:tcp_socket create_stream_socket_perms; |
205 |
+allow cobblerd_t self:udp_socket create_socket_perms; |
206 |
|
207 |
list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) |
208 |
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) |
209 |
|
210 |
+manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) |
211 |
+manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) |
212 |
+files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file }) |
213 |
+ |
214 |
manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) |
215 |
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) |
216 |
-files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) |
217 |
+manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) |
218 |
+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir) |
219 |
|
220 |
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) |
221 |
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) |
222 |
@@ -53,26 +92,45 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) |
223 |
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) |
224 |
|
225 |
kernel_read_system_state(cobblerd_t) |
226 |
+kernel_dontaudit_search_network_state(cobblerd_t) |
227 |
|
228 |
corecmd_exec_bin(cobblerd_t) |
229 |
corecmd_exec_shell(cobblerd_t) |
230 |
|
231 |
corenet_all_recvfrom_netlabel(cobblerd_t) |
232 |
corenet_all_recvfrom_unlabeled(cobblerd_t) |
233 |
-corenet_sendrecv_cobbler_server_packets(cobblerd_t) |
234 |
-corenet_tcp_bind_cobbler_port(cobblerd_t) |
235 |
-corenet_tcp_bind_generic_node(cobblerd_t) |
236 |
corenet_tcp_sendrecv_generic_if(cobblerd_t) |
237 |
corenet_tcp_sendrecv_generic_node(cobblerd_t) |
238 |
-corenet_tcp_sendrecv_generic_port(cobblerd_t) |
239 |
+corenet_tcp_bind_generic_node(cobblerd_t) |
240 |
+ |
241 |
+corenet_sendrecv_cobbler_server_packets(cobblerd_t) |
242 |
+corenet_tcp_bind_cobbler_port(cobblerd_t) |
243 |
+corenet_tcp_sendrecv_cobbler_port(cobblerd_t) |
244 |
+ |
245 |
+corenet_sendrecv_ftp_client_packets(cobblerd_t) |
246 |
+corenet_tcp_connect_ftp_port(cobblerd_t) |
247 |
+corenet_tcp_sendrecv_ftp_port(cobblerd_t) |
248 |
+ |
249 |
+corenet_tcp_sendrecv_http_port(cobblerd_t) |
250 |
+corenet_tcp_connect_http_port(cobblerd_t) |
251 |
+corenet_sendrecv_http_client_packets(cobblerd_t) |
252 |
|
253 |
dev_read_urand(cobblerd_t) |
254 |
|
255 |
-files_read_usr_files(cobblerd_t) |
256 |
files_list_boot(cobblerd_t) |
257 |
files_list_tmp(cobblerd_t) |
258 |
-# read /etc/nsswitch.conf |
259 |
+files_read_boot_files(cobblerd_t) |
260 |
files_read_etc_files(cobblerd_t) |
261 |
+files_read_etc_runtime_files(cobblerd_t) |
262 |
+files_read_usr_files(cobblerd_t) |
263 |
+ |
264 |
+fs_read_iso9660_files(cobblerd_t) |
265 |
+ |
266 |
+selinux_get_enforce_mode(cobblerd_t) |
267 |
+ |
268 |
+term_use_console(cobblerd_t) |
269 |
+ |
270 |
+logging_send_syslog_msg(cobblerd_t) |
271 |
|
272 |
miscfiles_read_localization(cobblerd_t) |
273 |
miscfiles_read_public_files(cobblerd_t) |
274 |
@@ -85,6 +143,28 @@ tunable_policy(`cobbler_anon_write',` |
275 |
miscfiles_manage_public_files(cobblerd_t) |
276 |
') |
277 |
|
278 |
+tunable_policy(`cobbler_can_network_connect',` |
279 |
+ corenet_sendrecv_all_client_packets(cobblerd_t) |
280 |
+ corenet_tcp_connect_all_ports(cobblerd_t) |
281 |
+ corenet_tcp_sendrecv_all_ports(cobblerd_t) |
282 |
+') |
283 |
+ |
284 |
+tunable_policy(`cobbler_use_cifs',` |
285 |
+ fs_manage_cifs_dirs(cobblerd_t) |
286 |
+ fs_manage_cifs_files(cobblerd_t) |
287 |
+ fs_manage_cifs_symlinks(cobblerd_t) |
288 |
+') |
289 |
+ |
290 |
+tunable_policy(`cobbler_use_nfs',` |
291 |
+ fs_manage_nfs_dirs(cobblerd_t) |
292 |
+ fs_manage_nfs_files(cobblerd_t) |
293 |
+ fs_manage_nfs_symlinks(cobblerd_t) |
294 |
+') |
295 |
+ |
296 |
+optional_policy(` |
297 |
+ apache_search_sys_content(cobblerd_t) |
298 |
+') |
299 |
+ |
300 |
optional_policy(` |
301 |
bind_read_config(cobblerd_t) |
302 |
bind_write_config(cobblerd_t) |
303 |
@@ -95,6 +175,10 @@ optional_policy(` |
304 |
') |
305 |
|
306 |
optional_policy(` |
307 |
+ certmaster_exec(cobblerd_t) |
308 |
+') |
309 |
+ |
310 |
+optional_policy(` |
311 |
dhcpd_domtrans(cobblerd_t) |
312 |
dhcpd_initrc_domtrans(cobblerd_t) |
313 |
') |
314 |
@@ -111,18 +195,21 @@ optional_policy(` |
315 |
|
316 |
optional_policy(` |
317 |
rsync_read_config(cobblerd_t) |
318 |
- rsync_write_config(cobblerd_t) |
319 |
+ rsync_manage_config_files(cobblerd_t) |
320 |
+ rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf") |
321 |
') |
322 |
|
323 |
optional_policy(` |
324 |
- tftp_manage_rw_content(cobblerd_t) |
325 |
+ tftp_manage_config_files(cobblerd_t) |
326 |
+ tftp_etc_filetrans_config(cobblerd_t, file, "tftp") |
327 |
+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) |
328 |
') |
329 |
|
330 |
######################################## |
331 |
# |
332 |
-# Cobbler web local policy. |
333 |
+# Web local policy |
334 |
# |
335 |
|
336 |
-apache_content_template(cobbler) |
337 |
+list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t) |
338 |
manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) |
339 |
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) |
340 |
|
341 |
diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if |
342 |
index 3386f29..a580523 100644 |
343 |
--- a/policy/modules/contrib/rsync.if |
344 |
+++ b/policy/modules/contrib/rsync.if |
345 |
@@ -141,3 +141,52 @@ interface(`rsync_write_config',` |
346 |
allow $1 rsync_etc_t:file read_file_perms; |
347 |
files_search_etc($1) |
348 |
') |
349 |
+ |
350 |
+######################################## |
351 |
+## <summary> |
352 |
+## Create, read, write, and delete |
353 |
+## rsync config files. |
354 |
+## </summary> |
355 |
+## <param name="domain"> |
356 |
+## <summary> |
357 |
+## Domain allowed access. |
358 |
+## </summary> |
359 |
+## </param> |
360 |
+# |
361 |
+interface(`rsync_manage_config_files',` |
362 |
+ gen_require(` |
363 |
+ type rsync_etc_t; |
364 |
+ ') |
365 |
+ |
366 |
+ manage_files_pattern($1, rsync_etc_t, rsync_etc_t) |
367 |
+ files_search_etc($1) |
368 |
+') |
369 |
+ |
370 |
+######################################## |
371 |
+## <summary> |
372 |
+## Create objects in etc directories |
373 |
+## with rsync etc type. |
374 |
+## </summary> |
375 |
+## <param name="domain"> |
376 |
+## <summary> |
377 |
+## Domain allowed to transition. |
378 |
+## </summary> |
379 |
+## </param> |
380 |
+## <param name="object_class"> |
381 |
+## <summary> |
382 |
+## Class of the object being created. |
383 |
+## </summary> |
384 |
+## </param> |
385 |
+## <param name="name" optional="true"> |
386 |
+## <summary> |
387 |
+## The name of the object being created. |
388 |
+## </summary> |
389 |
+## </param> |
390 |
+# |
391 |
+interface(`rsync_etc_filetrans_config',` |
392 |
+ gen_require(` |
393 |
+ type rsync_etc_t; |
394 |
+ ') |
395 |
+ |
396 |
+ files_etc_filetrans($1, rsync_etc_t, $2, $3) |
397 |
+') |
398 |
|
399 |
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te |
400 |
index 2834d86..d5e469e 100644 |
401 |
--- a/policy/modules/contrib/rsync.te |
402 |
+++ b/policy/modules/contrib/rsync.te |
403 |
@@ -1,4 +1,4 @@ |
404 |
-policy_module(rsync, 1.12.0) |
405 |
+policy_module(rsync, 1.12.1) |
406 |
|
407 |
######################################## |
408 |
# |
409 |
|
410 |
diff --git a/policy/modules/contrib/tftp.if b/policy/modules/contrib/tftp.if |
411 |
index 38bb312..29b1bd9 100644 |
412 |
--- a/policy/modules/contrib/tftp.if |
413 |
+++ b/policy/modules/contrib/tftp.if |
414 |
@@ -40,6 +40,89 @@ interface(`tftp_manage_rw_content',` |
415 |
|
416 |
######################################## |
417 |
## <summary> |
418 |
+## Manage tftp config files. |
419 |
+## </summary> |
420 |
+## <param name="domain"> |
421 |
+## <summary> |
422 |
+## Domain allowed access. |
423 |
+## </summary> |
424 |
+## </param> |
425 |
+# |
426 |
+interface(`tftp_manage_config_files',` |
427 |
+ gen_require(` |
428 |
+ type tftpd_etc_t; |
429 |
+ ') |
430 |
+ |
431 |
+ files_search_etc($1) |
432 |
+ manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t) |
433 |
+') |
434 |
+ |
435 |
+######################################## |
436 |
+## <summary> |
437 |
+## Create objects in etc directories |
438 |
+## with tftp etc type. |
439 |
+## </summary> |
440 |
+## <param name="domain"> |
441 |
+## <summary> |
442 |
+## Domain allowed to transition. |
443 |
+## </summary> |
444 |
+## </param> |
445 |
+## <param name="object_class"> |
446 |
+## <summary> |
447 |
+## Class of the object being created. |
448 |
+## </summary> |
449 |
+## </param> |
450 |
+## <param name="name" optional="true"> |
451 |
+## <summary> |
452 |
+## The name of the object being created. |
453 |
+## </summary> |
454 |
+## </param> |
455 |
+# |
456 |
+interface(`tftp_etc_filetrans_config',` |
457 |
+ gen_require(` |
458 |
+ type tftp_etc_t; |
459 |
+ ') |
460 |
+ |
461 |
+ files_etc_filetrans($1, tftp_etc_t, $2, $3) |
462 |
+') |
463 |
+ |
464 |
+######################################## |
465 |
+## <summary> |
466 |
+## Create objects in tftpdir directories |
467 |
+## with a private type. |
468 |
+## </summary> |
469 |
+## <param name="domain"> |
470 |
+## <summary> |
471 |
+## Domain allowed access. |
472 |
+## </summary> |
473 |
+## </param> |
474 |
+## <param name="private_type"> |
475 |
+## <summary> |
476 |
+## Private file type. |
477 |
+## </summary> |
478 |
+## </param> |
479 |
+## <param name="object_class"> |
480 |
+## <summary> |
481 |
+## Class of the object being created. |
482 |
+## </summary> |
483 |
+## </param> |
484 |
+## <param name="name" optional="true"> |
485 |
+## <summary> |
486 |
+## The name of the object being created. |
487 |
+## </summary> |
488 |
+## </param> |
489 |
+# |
490 |
+interface(`tftp_filetrans_tftpdir',` |
491 |
+ gen_require(` |
492 |
+ type tftpdir_rw_t; |
493 |
+ ') |
494 |
+ |
495 |
+ files_search_var_lib($1) |
496 |
+ filetrans_pattern($1, tftpdir_rw_t, $2, $3, $4) |
497 |
+') |
498 |
+ |
499 |
+######################################## |
500 |
+## <summary> |
501 |
## All of the rules required to administrate |
502 |
## an tftp environment |
503 |
## </summary> |
504 |
|
505 |
diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te |
506 |
index d50c10d..2fa2133 100644 |
507 |
--- a/policy/modules/contrib/tftp.te |
508 |
+++ b/policy/modules/contrib/tftp.te |
509 |
@@ -1,4 +1,4 @@ |
510 |
-policy_module(tftp, 1.12.0) |
511 |
+policy_module(tftp, 1.12.1) |
512 |
|
513 |
######################################## |
514 |
# |