diff --git a/Changelog b/Changelog index 5554a20..cd7cf83 100644 --- a/Changelog +++ b/Changelog @@ -7,6 +7,7 @@ likewise (Scott Salley) pyicqt (Stefan Schulze Frielinghaus) sectoolm (Miroslav Grepl) + vhostmd (Dan Walsh) * Tue Nov 17 2009 Chris PeBenito - 2.20091117 - Add separate x_pointer and x_keyboard classes inheriting from x_device. diff --git a/policy/modules/services/vhostmd.fc b/policy/modules/services/vhostmd.fc new file mode 100644 index 0000000..c1fb329 --- /dev/null +++ b/policy/modules/services/vhostmd.fc @@ -0,0 +1,5 @@ +/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) + +/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) + +/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if new file mode 100644 index 0000000..55e332f --- /dev/null +++ b/policy/modules/services/vhostmd.if @@ -0,0 +1,224 @@ +## Virtual host metrics daemon + +######################################## +## +## Execute a domain transition to run vhostmd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`vhostmd_domtrans',` + gen_require(` + type vhostmd_t, vhostmd_exec_t; + ') + + domtrans_pattern($1, vhostmd_exec_t, vhostmd_t) +') + +######################################## +## +## Execute vhostmd server in the vhostmd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`vhostmd_initrc_domtrans',` + gen_require(` + type vhostmd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, vhostmd_initrc_exec_t) +') + +######################################## +## +## Allow domain to read, vhostmd tmpfs files +## +## +## +## Domain to not audit. +## +## +# +interface(`vhostmd_read_tmpfs_files',` + gen_require(` + type vhostmd_tmpfs_t; + ') + + allow $1 vhostmd_tmpfs_t:file read_file_perms; + files_search_tmp($1) +') + +######################################## +## +## Do not audit attempts to read, +## vhostmd tmpfs files +## +## +## +## Domain to not audit. +## +## +# +interface(`vhostmd_dontaudit_read_tmpfs_files',` + gen_require(` + type vhostmd_tmpfs_t; + ') + + dontaudit $1 vhostmd_tmpfs_t:file read_file_perms; +') + +####################################### +## +## Allow domain to read and write vhostmd tmpfs files +## +## +## +## Domain to not audit. +## +## +# +interface(`vhostmd_rw_tmpfs_files',` + gen_require(` + type vhostmd_tmpfs_t; + ') + + rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) + files_search_tmp($1) +') + +######################################## +## +## Create, read, write, and delete vhostmd tmpfs files. +## +## +## +## Domain to not audit. +## +## +# +interface(`vhostmd_manage_tmpfs_files',` + gen_require(` + type vhostmd_tmpfs_t; + ') + + manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) + files_search_tmp($1) +') + +######################################## +## +## Read vhostmd PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`vhostmd_read_pid_files',` + gen_require(` + type vhostmd_var_run_t; + ') + + files_search_pids($1) + allow $1 vhostmd_var_run_t:file read_file_perms; +') + +######################################## +## +## Manage vhostmd var_run files. +## +## +## +## Domain allowed access. +## +## +# +interface(`vhostmd_manage_pid_files',` + gen_require(` + type vhostmd_var_run_t; + ') + + manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) +') + +######################################## +## +## Connect to vhostmd over an unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`vhostmd_stream_connect',` + gen_require(` + type vhostmd_t, vhostmd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t) +') + +####################################### +## +## Dontaudit read and write to vhostmd +## over an unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`vhostmd_dontaudit_rw_stream_connect',` + gen_require(` + type vhostmd_t; + ') + + dontaudit $1 vhostmd_t:unix_stream_socket { read write }; +') + +######################################## +## +## All of the rules required to administrate +## an vhostmd environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`vhostmd_admin',` + gen_require(` + type vhostmd_t, vhostmd_initrc_exec_t; + ') + + allow $1 vhostmd_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, vhostmd_t) + + vhostmd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 vhostmd_initrc_exec_t system_r; + allow $2 system_r; + + vhostmd_manage_tmpfs_files($1) + + vhostmd_manage_pid_files($1) + +') diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te new file mode 100644 index 0000000..11a0217 --- /dev/null +++ b/policy/modules/services/vhostmd.te @@ -0,0 +1,77 @@ + +policy_module(vhostmd, 1.0.0) + +######################################## +# +# Declarations +# + +type vhostmd_t; +type vhostmd_exec_t; +init_daemon_domain(vhostmd_t, vhostmd_exec_t) + +type vhostmd_initrc_exec_t; +init_script_file(vhostmd_initrc_exec_t) + +type vhostmd_tmpfs_t; +files_tmpfs_file(vhostmd_tmpfs_t) + +type vhostmd_var_run_t; +files_pid_file(vhostmd_var_run_t) + +######################################## +# +# vhostmd local policy +# + +allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; +allow vhostmd_t self:process { setsched getsched }; +allow vhostmd_t self:fifo_file rw_file_perms; + +manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) +manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) +fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir }) + +manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) +manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) +files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir }) + +kernel_read_system_state(vhostmd_t) +kernel_read_network_state(vhostmd_t) +kernel_write_xen_state(vhostmd_t) + +corecmd_exec_bin(vhostmd_t) +corecmd_exec_shell(vhostmd_t) + +corenet_tcp_connect_soundd_port(vhostmd_t) + +files_read_etc_files(vhostmd_t) +files_read_usr_files(vhostmd_t) + +dev_read_sysfs(vhostmd_t) + +auth_use_nsswitch(vhostmd_t) + +logging_send_syslog_msg(vhostmd_t) + +miscfiles_read_localization(vhostmd_t) + +optional_policy(` + hostname_exec(vhostmd_t) +') + +optional_policy(` + rpm_exec(vhostmd_t) + rpm_read_db(vhostmd_t) +') + +optional_policy(` + virt_stream_connect(vhostmd_t) +') + +optional_policy(` + xen_domtrans_xm(vhostmd_t) + xen_stream_connect(vhostmd_t) + xen_stream_connect_xenstore(vhostmd_t) + xen_stream_connect_xm(vhostmd_t) +')