From 3daef6999a653670e022d0ce4fb07d6d9c1087a7 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 23 Sep 2008 12:56:00 +0000 Subject: [PATCH] trunk: cvs update from dan. --- policy/modules/services/cvs.if | 34 ++++++++++++++++++++++++++++++++++ policy/modules/services/cvs.te | 17 +++++------------ 2 files changed, 39 insertions(+), 12 deletions(-) diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if index a1baa0703..997973dc7 100644 --- a/policy/modules/services/cvs.if +++ b/policy/modules/services/cvs.if @@ -36,3 +36,37 @@ interface(`cvs_exec',` can_exec($1, cvs_exec_t) ') + +######################################## +## +## All of the rules required to administrate +## an cvs environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the cvs domain. +## +## +## +# +interface(`cvs_admin',` + gen_require(` + type cvs_t, cvs_tmp_t; + type cvs_data_t, cvs_var_run_t; + type cvs_initrc_exec_t; + ') + + allow $1 cvs_t:process { ptrace signal_perms }; + ps_process_pattern($1, cvs_t) + + # Allow cvs_t to restart the apache service + init_labeled_script_domtrans($1, cvs_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cvs_initrc_exec_t system_r; + allow $2 system_r; +') diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te index e20c0b882..393026248 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te @@ -1,5 +1,5 @@ -policy_module(cvs, 1.6.0) +policy_module(cvs, 1.6.1) ######################################## # @@ -22,6 +22,9 @@ role system_r types cvs_t; type cvs_data_t; # customizable files_type(cvs_data_t) +type cvs_initrc_exec_t; +init_script_file(cvs_initrc_exec_t) + type cvs_tmp_t; files_tmp_file(cvs_tmp_t) @@ -69,6 +72,7 @@ dev_read_urand(cvs_t) fs_getattr_xattr_fs(cvs_t) auth_domtrans_chk_passwd(cvs_t) +auth_use_nsswitch(cvs_t) corecmd_exec_bin(cvs_t) corecmd_exec_shell(cvs_t) @@ -86,8 +90,6 @@ logging_send_audit_msgs(cvs_t) miscfiles_read_localization(cvs_t) -sysnet_read_config(cvs_t) - mta_send_mail(cvs_t) # cjp: typeattribute doesnt work in conditionals yet @@ -97,16 +99,7 @@ tunable_policy(`allow_cvs_read_shadow',` ') optional_policy(` - kerberos_use(cvs_t) kerberos_read_keytab(cvs_t) kerberos_read_config(cvs_t) kerberos_dontaudit_write_config(cvs_t) ') - -optional_policy(` - nis_use_ypbind(cvs_t) -') - -optional_policy(` - nscd_socket_use(cvs_t) -')