diff options
Diffstat (limited to 'policy/modules/services/cvs.te')
-rw-r--r-- | policy/modules/services/cvs.te | 125 |
1 files changed, 125 insertions, 0 deletions
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te new file mode 100644 index 00000000..f090b62a --- /dev/null +++ b/policy/modules/services/cvs.te @@ -0,0 +1,125 @@ +policy_module(cvs, 1.13.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether cvs can read shadow +## password files. +## </p> +## </desc> +gen_tunable(allow_cvs_read_shadow, false) + +type cvs_t; +type cvs_exec_t; +inetd_tcp_service_domain(cvs_t, cvs_exec_t) +init_daemon_domain(cvs_t, cvs_exec_t) +application_executable_file(cvs_exec_t) + +type cvs_data_t; # customizable +files_type(cvs_data_t) + +type cvs_initrc_exec_t; +init_script_file(cvs_initrc_exec_t) + +type cvs_keytab_t; +files_type(cvs_keytab_t) + +type cvs_tmp_t; +files_tmp_file(cvs_tmp_t) + +type cvs_var_run_t; +files_pid_file(cvs_var_run_t) + +######################################## +# +# Local policy +# + +allow cvs_t self:capability { setgid setuid }; +allow cvs_t self:process signal_perms; +allow cvs_t self:fifo_file rw_fifo_file_perms; +allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow cvs_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) +manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) +manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t) + +allow cvs_t cvs_keytab_t:file read_file_perms; + +manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) +manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) +files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file }) + +manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t) +files_pid_filetrans(cvs_t, cvs_var_run_t, file) + +kernel_read_kernel_sysctls(cvs_t) +kernel_read_system_state(cvs_t) +kernel_read_network_state(cvs_t) + +corenet_all_recvfrom_unlabeled(cvs_t) +corenet_all_recvfrom_netlabel(cvs_t) +corenet_tcp_sendrecv_generic_if(cvs_t) +corenet_tcp_sendrecv_generic_node(cvs_t) + +corenet_sendrecv_cvs_server_packets(cvs_t) +corenet_tcp_bind_cvs_port(cvs_t) +corenet_tcp_sendrecv_cvs_port(cvs_t) + +corecmd_exec_bin(cvs_t) +corecmd_exec_shell(cvs_t) + +dev_read_urand(cvs_t) + +files_read_etc_runtime_files(cvs_t) +files_search_home(cvs_t) + +fs_getattr_xattr_fs(cvs_t) + +auth_domtrans_chk_passwd(cvs_t) +auth_use_nsswitch(cvs_t) + +init_read_utmp(cvs_t) + +logging_send_syslog_msg(cvs_t) +logging_send_audit_msgs(cvs_t) + +miscfiles_read_localization(cvs_t) + +userdom_dontaudit_search_user_home_dirs(cvs_t) + +# cjp: typeattribute doesnt work in conditionals yet +auth_can_read_shadow_passwords(cvs_t) +tunable_policy(`allow_cvs_read_shadow',` + allow cvs_t self:capability dac_override; + auth_tunable_read_shadow(cvs_t) +') + +optional_policy(` + kerberos_read_config(cvs_t) + kerberos_read_keytab(cvs_t) + kerberos_use(cvs_t) + kerberos_dontaudit_write_config(cvs_t) +') + +optional_policy(` + mta_send_mail(cvs_t) +') + +######################################## +# +# CVSWeb local policy +# + +optional_policy(` + apache_content_template(cvs) + + read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) + manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) +') |