add quota
This commit is contained in:
parent
5a3895a9f6
commit
052c953ae5
|
@ -8,6 +8,7 @@
|
|||
* Added policies:
|
||||
acct
|
||||
mysql
|
||||
quota
|
||||
su
|
||||
sudo
|
||||
tmpreaper
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
|
||||
/sbin/quota(check|on) -- context_template(system_u:object_r:quota_exec_t,s0)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
/usr/sbin/convertquota -- context_template(system_u:object_r:quota_exec_t,s0)
|
||||
',`
|
||||
/sbin/convertquota -- context_template(system_u:object_r:quota_exec_t,s0)
|
||||
')
|
||||
|
||||
HOME_ROOT/a?quota\.(user|group) -- context_template(system_u:object_r:quota_db_t,s0)
|
||||
|
||||
/var/a?quota\.(user|group) -- context_template(system_u:object_r:quota_db_t,s0)
|
||||
|
||||
/var/lib/quota(/.*)? context_template(system_u:object_r:quota_flag_t,s0)
|
|
@ -0,0 +1,81 @@
|
|||
## <summary>File system quota management</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute quota management tools in the quota domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`quota_domtrans',`
|
||||
gen_require(`
|
||||
type quota_t, quota_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,quota_exec_t,quota_t)
|
||||
|
||||
allow $1 quota_t:fd use;
|
||||
allow quota_t $1:fd use;
|
||||
allow quota_t $1:fifo_file rw_file_perms;
|
||||
allow quota_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute quota management tools in the quota domain, and
|
||||
## allow the specified role the quota domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the quota domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the quota domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`quota_run',`
|
||||
gen_require(`
|
||||
type quota_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
quota_domtrans($1)
|
||||
role $2 types quota_t;
|
||||
allow quota_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of filesystem quota data files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`quota_dontaudit_getattr_db',`
|
||||
gen_require(`
|
||||
type quota_db_t;
|
||||
class file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 quota_db_t:file getattr;
|
||||
')
|
||||
|
||||
interface(`quota_manage_flags',`
|
||||
gen_require(`
|
||||
type quota_flag_t;
|
||||
class dir rw_dir_perms;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
allow $1 quota_flag_t:dir rw_dir_perms;
|
||||
allow $1 quota_flag_t:file create_file_perms;
|
||||
')
|
|
@ -0,0 +1,89 @@
|
|||
|
||||
policy_module(quota,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type quota_t;
|
||||
type quota_exec_t;
|
||||
init_system_domain(quota_t,quota_exec_t)
|
||||
|
||||
type quota_db_t;
|
||||
files_type(quota_db_t)
|
||||
|
||||
type quota_flag_t;
|
||||
files_type(quota_flag_t)
|
||||
|
||||
allow quota_t self:capability { sys_admin dac_override };
|
||||
dontaudit quota_t self:capability sys_tty_config;
|
||||
allow quota_t self:process signal_perms;
|
||||
|
||||
# for /quota.*
|
||||
allow quota_t quota_db_t:file { read write quotaon };
|
||||
|
||||
kernel_list_proc(quota_t)
|
||||
kernel_read_proc_symlinks(quota_t)
|
||||
kernel_read_kernel_sysctl(quota_t)
|
||||
|
||||
dev_read_sysfs(quota_t)
|
||||
dev_getattr_all_blk_files(quota_t)
|
||||
dev_getattr_all_chr_files(quota_t)
|
||||
|
||||
fs_get_xattr_fs_quota(quota_t)
|
||||
fs_set_xattr_fs_quota(quota_t)
|
||||
fs_getattr_xattr_fs(quota_t)
|
||||
fs_remount_xattr_fs(quota_t)
|
||||
fs_search_auto_mountpoints(quota_t)
|
||||
|
||||
storage_raw_read_fixed_disk(quota_t)
|
||||
|
||||
term_dontaudit_use_console(quota_t)
|
||||
|
||||
domain_use_wide_inherit_fd(quota_t)
|
||||
|
||||
files_list_all_dirs(quota_t)
|
||||
files_read_all_files(quota_t)
|
||||
files_read_all_symlinks(quota_t)
|
||||
files_getattr_all_pipes(quota_t)
|
||||
files_getattr_all_sockets(quota_t)
|
||||
# Read /etc/mtab.
|
||||
files_read_etc_runtime_files(quota_t)
|
||||
|
||||
init_use_fd(quota_t)
|
||||
init_use_script_pty(quota_t)
|
||||
|
||||
libs_use_ld_so(quota_t)
|
||||
libs_use_shared_libs(quota_t)
|
||||
|
||||
logging_send_syslog_msg(quota_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(quota_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_tty(quota_t)
|
||||
term_dontaudit_use_generic_pty(quota_t)
|
||||
files_dontaudit_read_root_file(quota_t)
|
||||
')
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(quota_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(quota_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(quota_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# quotacheck creates new quota_db_t files
|
||||
file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
|
||||
|
||||
allow quota_t file_t:file quotaon;
|
||||
|
||||
allow quota_t proc_t:file getattr;
|
||||
') dnl end TODO
|
|
@ -214,6 +214,42 @@ interface(`fs_relabelfrom_xattr_fs',`
|
|||
allow $1 fs_t:filesystem relabelfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the filesystem quotas of a filesystem
|
||||
## with extended attributes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain mounting the filesystem.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_get_xattr_fs_quota',`
|
||||
gen_require(`
|
||||
type fs_t;
|
||||
class filesystem quotaget;
|
||||
')
|
||||
|
||||
allow $1 fs_t:filesystem quotaget;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the filesystem quotas of a filesystem
|
||||
## with extended attributes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain mounting the filesystem.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_set_xattr_fs_quota',`
|
||||
gen_require(`
|
||||
type fs_t;
|
||||
class filesystem quotamod;
|
||||
')
|
||||
|
||||
allow $1 fs_t:filesystem quotamod;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount an automount pseudo filesystem.
|
||||
|
|
|
@ -140,8 +140,29 @@ interface(`files_dontaudit_getattr_all_dirs',`
|
|||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of all directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# files_getattr_all_files(domain)
|
||||
interface(`files_list_all_dirs',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_getattr_all_files',`
|
||||
gen_require(`
|
||||
|
@ -172,6 +193,29 @@ interface(`files_dontaudit_getattr_all_files',`
|
|||
dontaudit $1 file_type:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_all_files',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class dir search;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir search;
|
||||
allow $1 file_type:file r_file_perms;
|
||||
|
||||
optional_policy(`authlogin.te',`
|
||||
auth_read_shadow($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all symbolic links.
|
||||
|
@ -209,6 +253,25 @@ interface(`files_dontaudit_getattr_all_symlinks',`
|
|||
dontaudit $1 file_type:lnk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all symbolic links.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_all_symlinks',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class dir search;
|
||||
class lnk_file { getattr read };
|
||||
')
|
||||
|
||||
allow $1 file_type:dir search;
|
||||
allow $1 file_type:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all named pipes.
|
||||
|
|
|
@ -410,6 +410,10 @@ optional_policy(`raid.te',`
|
|||
raid_manage_mdadm_pid(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`quota.te',`
|
||||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
corecmd_shell_entry_type(initrc_t)
|
||||
')
|
||||
|
|
|
@ -265,6 +265,10 @@ template(`base_user_template',`
|
|||
pcmcia_read_pid($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`quota.te',`
|
||||
quota_dontaudit_getattr_db($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
files_getattr_var_lib_dir($1_t)
|
||||
files_search_var_lib($1_t)
|
||||
|
|
|
@ -175,6 +175,10 @@ ifdef(`targeted_policy',`
|
|||
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`quota.te',`
|
||||
quota_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
|
Loading…
Reference in New Issue