add radius and amanda, which I forgot to ci
This commit is contained in:
parent
230838e117
commit
44fc06b0cb
|
@ -0,0 +1,72 @@
|
|||
|
||||
/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
|
||||
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
|
||||
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
|
||||
/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
|
||||
|
||||
/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
|
||||
|
||||
/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0)
|
||||
|
||||
/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
|
||||
/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amcat\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amcleanupdisk -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amlogroll -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amplot\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amplot\.g -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amplot\.gp -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amtrmidx -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amtrmlog -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/calcsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-chio -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-chs -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-manual -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-multi -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-rth -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-scsi -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/chg-zd-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/driver -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/dumper -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/killpgrp -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/patch-system -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/planner -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/rundump -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/runtar -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/selfcheck -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/sendbackup -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/sendsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/taper -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/versionsuffix -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
|
||||
/usr/sbin/amadmin -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amcheck -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amcheckdb -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amcleanup -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amdump -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amflush -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amgetconf -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amlabel -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amoverview -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amplot -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
|
||||
/usr/sbin/amreport -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amrestore -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amrmtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amstatus -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amtoc -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
/usr/sbin/amverify -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
|
||||
|
||||
/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
|
||||
/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0)
|
||||
/var/lib/amanda/\.bashrc -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
|
||||
/var/lib/amanda/\.profile -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
|
||||
/var/lib/amanda/disklist -- gen_context(system_u:object_r:amanda_data_t,s0)
|
||||
/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
|
||||
/var/lib/amanda/index gen_context(system_u:object_r:amanda_data_t,s0)
|
||||
|
||||
/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
|
|
@ -0,0 +1,64 @@
|
|||
## <summary>Automated backup program.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute amrecover in the amanda_recover domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`amanda_domtrans_recover',`
|
||||
gen_require(`
|
||||
type amanda_recover_t, amanda_recover_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,amanda_recover_exec_t,amanda_recover_t)
|
||||
|
||||
allow $1 amanda_recover_t:fd use;
|
||||
allow amanda_recover_t $1:fd use;
|
||||
allow amanda_recover_t $1:fifo_file rw_file_perms;
|
||||
allow amanda_recover_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute amrecover in the amanda_recover domain, and
|
||||
## allow the specified role the amanda_recover domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the amanda_recover domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the amanda_recover domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`amanda_run_recover',`
|
||||
gen_require(`
|
||||
type amanda_recover_t;
|
||||
')
|
||||
|
||||
amanda_domtrans_recover($1)
|
||||
role $2 types amanda_recover_t;
|
||||
allow amanda_recover_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search amanda library directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`amanda_search_lib',`
|
||||
gen_require(`
|
||||
type amanda_usr_lib_t;
|
||||
')
|
||||
|
||||
allow $1 amanda_usr_lib_t:dir search;
|
||||
files_search_usr($1)
|
||||
')
|
|
@ -0,0 +1,247 @@
|
|||
|
||||
policy_module(amanda,1.0)
|
||||
|
||||
#######################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type amanda_t;
|
||||
type amanda_inetd_exec_t;
|
||||
inetd_udp_service_domain(amanda_t,amanda_inetd_exec_t)
|
||||
role system_r types amanda_t;
|
||||
|
||||
type amanda_exec_t;
|
||||
domain_entry_file(amanda_t,amanda_exec_t)
|
||||
|
||||
type amanda_log_t;
|
||||
logging_log_file(amanda_log_t)
|
||||
|
||||
# type for amanda configurations files
|
||||
type amanda_config_t;
|
||||
files_type(amanda_config_t)
|
||||
|
||||
# type for files in /usr/lib/amanda
|
||||
type amanda_usr_lib_t;
|
||||
files_type(amanda_usr_lib_t)
|
||||
|
||||
# type for all files in /var/lib/amanda
|
||||
type amanda_var_lib_t;
|
||||
files_type(amanda_var_lib_t)
|
||||
|
||||
# type for all files in /var/lib/amanda/gnutar-lists/
|
||||
type amanda_gnutarlists_t;
|
||||
files_type(amanda_gnutarlists_t)
|
||||
|
||||
# type for user startable files
|
||||
type amanda_user_exec_t;
|
||||
files_type(amanda_user_exec_t)
|
||||
|
||||
# type for same awk and other scripts
|
||||
type amanda_script_exec_t;
|
||||
files_type(amanda_script_exec_t)
|
||||
|
||||
# type for the shell configuration files
|
||||
type amanda_shellconfig_t;
|
||||
files_type(amanda_shellconfig_t)
|
||||
|
||||
type amanda_tmp_t;
|
||||
files_tmp_file(amanda_tmp_t)
|
||||
|
||||
# type for /etc/amandates
|
||||
type amanda_amandates_t;
|
||||
files_type(amanda_amandates_t)
|
||||
|
||||
# type for /etc/dumpdates
|
||||
type amanda_dumpdates_t;
|
||||
files_type(amanda_dumpdates_t)
|
||||
|
||||
# type for amanda data
|
||||
type amanda_data_t;
|
||||
files_type(amanda_data_t)
|
||||
|
||||
# type for amrecover
|
||||
type amanda_recover_t;
|
||||
type amanda_recover_exec_t;
|
||||
domain_type(amanda_recover_t)
|
||||
domain_entry_file(amanda_recover_t,amanda_recover_exec_t)
|
||||
role system_r types amanda_recover_t;
|
||||
|
||||
# type for recover files ( restored data )
|
||||
type amanda_recover_dir_t;
|
||||
files_type(amanda_recover_dir_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Amanda local policy
|
||||
#
|
||||
|
||||
allow amanda_t self:capability { chown dac_override setuid };
|
||||
allow amanda_t self:process { setpgid signal };
|
||||
allow amanda_t self:fifo_file { getattr read write ioctl lock };
|
||||
allow amanda_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow amanda_t self:unix_dgram_socket create_socket_perms;
|
||||
allow amanda_t self:tcp_socket create_stream_socket_perms;
|
||||
allow amanda_t self:udp_socket create_socket_perms;
|
||||
|
||||
# access to amanda_amandates_t
|
||||
allow amanda_t amanda_amandates_t:file { getattr lock read write };
|
||||
|
||||
# configuration files -> read only
|
||||
allow amanda_t amanda_config_t:file { getattr read };
|
||||
|
||||
# access to amandas data structure
|
||||
allow amanda_t amanda_data_t:dir { read search write };
|
||||
allow amanda_t amanda_data_t:file { read write };
|
||||
|
||||
# access to amanda_dumpdates_t
|
||||
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
|
||||
|
||||
can_exec(amanda_t,amanda_exec_t)
|
||||
|
||||
# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
|
||||
allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
|
||||
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
|
||||
allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
|
||||
|
||||
allow amanda_t amanda_log_t:file create_file_perms;
|
||||
allow amanda_t amanda_log_t:dir rw_dir_perms;
|
||||
logging_create_log(amanda_t,amanda_log_t,{ file dir })
|
||||
|
||||
allow amanda_t amanda_tmp_t:dir create_dir_perms;
|
||||
allow amanda_t amanda_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(amanda_t, amanda_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(amanda_t)
|
||||
kernel_read_kernel_sysctl(amanda_t)
|
||||
kernel_dontaudit_getattr_unlabeled_file(amanda_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(amanda_t)
|
||||
corenet_udp_sendrecv_all_if(amanda_t)
|
||||
corenet_raw_sendrecv_all_if(amanda_t)
|
||||
corenet_tcp_sendrecv_all_nodes(amanda_t)
|
||||
corenet_udp_sendrecv_all_nodes(amanda_t)
|
||||
corenet_raw_sendrecv_all_nodes(amanda_t)
|
||||
corenet_tcp_bind_all_nodes(amanda_t)
|
||||
corenet_udp_bind_all_nodes(amanda_t)
|
||||
corenet_tcp_sendrecv_all_ports(amanda_t)
|
||||
corenet_udp_sendrecv_all_ports(amanda_t)
|
||||
|
||||
dev_getattr_all_blk_files(amanda_t)
|
||||
dev_getattr_all_blk_files(amanda_t)
|
||||
|
||||
fs_getattr_xattr_fs(amanda_t)
|
||||
fs_list_all(amanda_t)
|
||||
|
||||
storage_raw_read_fixed_disk(amanda_t)
|
||||
|
||||
files_read_etc_files(amanda_t)
|
||||
files_read_etc_runtime_files(amanda_t)
|
||||
files_list_all_dirs(amanda_t)
|
||||
files_read_all_files(amanda_t)
|
||||
files_read_all_symlinks(amanda_t)
|
||||
files_read_all_blk_nodes(amanda_t)
|
||||
files_read_all_chr_nodes(amanda_t)
|
||||
files_getattr_all_pipes(amanda_t)
|
||||
files_getattr_all_sockets(amanda_t)
|
||||
|
||||
corecmd_exec_shell(amanda_t)
|
||||
corecmd_exec_sbin(amanda_t)
|
||||
corecmd_exec_bin(amanda_t)
|
||||
|
||||
libs_use_ld_so(amanda_t)
|
||||
libs_use_shared_libs(amanda_t)
|
||||
|
||||
sysnet_read_config(amanda_t)
|
||||
|
||||
optional_policy(`authlogin.te',`
|
||||
auth_read_shadow(amanda_t)
|
||||
')
|
||||
|
||||
optional_policy(`logging.te',`
|
||||
logging_send_syslog_msg(amanda_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(amanda_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(amanda_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Amanda recover local policy
|
||||
|
||||
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
|
||||
allow amanda_recover_t self:process { sigkill sigstop signal };
|
||||
allow amanda_recover_t self:fifo_file { getattr ioctl read write };
|
||||
allow amanda_recover_t self:unix_stream_socket { connect create read write };
|
||||
allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
|
||||
allow amanda_recover_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow amanda_recover_t amanda_log_t:dir rw_dir_perms;
|
||||
allow amanda_recover_t amanda_log_t:file manage_file_perms;
|
||||
allow amanda_recover_t amanda_log_t:lnk_file create_lnk_perms;
|
||||
|
||||
# access to amanda_recover_dir_t
|
||||
allow amanda_recover_t amanda_recover_dir_t:dir create_dir_perms;
|
||||
allow amanda_recover_t amanda_recover_dir_t:file create_file_perms;
|
||||
allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms;
|
||||
allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms;
|
||||
allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms;
|
||||
userdom_create_sysadm_home(amanda_recover_t,amanda_recover_dir_t,{ file lnk_file sock_file fifo_file })
|
||||
|
||||
allow amanda_recover_t amanda_tmp_t:dir create_dir_perms;
|
||||
allow amanda_recover_t amanda_tmp_t:file create_file_perms;
|
||||
allow amanda_recover_t amanda_tmp_t:lnk_file create_lnk_perms;
|
||||
allow amanda_recover_t amanda_tmp_t:sock_file create_file_perms;
|
||||
allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms;
|
||||
files_create_tmp_files(amanda_recover_t,amanda_tmp_t,{ file lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_read_system_state(amanda_recover_t)
|
||||
kernel_read_kernel_sysctl(amanda_recover_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(amanda_recover_t)
|
||||
corenet_udp_sendrecv_all_if(amanda_recover_t)
|
||||
corenet_raw_sendrecv_all_if(amanda_recover_t)
|
||||
corenet_tcp_sendrecv_all_nodes(amanda_recover_t)
|
||||
corenet_udp_sendrecv_all_nodes(amanda_recover_t)
|
||||
corenet_raw_sendrecv_all_nodes(amanda_recover_t)
|
||||
corenet_tcp_sendrecv_all_ports(amanda_recover_t)
|
||||
corenet_udp_sendrecv_all_ports(amanda_recover_t)
|
||||
corenet_tcp_bind_all_nodes(amanda_recover_t)
|
||||
corenet_udp_bind_all_nodes(amanda_recover_t)
|
||||
corenet_tcp_connect_amanda_port(amanda_recover_t)
|
||||
|
||||
corecmd_exec_shell(amanda_recover_t)
|
||||
corecmd_exec_bin(amanda_recover_t)
|
||||
|
||||
domain_use_wide_inherit_fd(amanda_recover_t)
|
||||
|
||||
files_read_etc_files(amanda_recover_t)
|
||||
files_read_etc_runtime_files(amanda_recover_t)
|
||||
files_search_tmp(amanda_recover_t)
|
||||
files_search_pids(amanda_recover_t)
|
||||
|
||||
fstools_domtrans(amanda_t)
|
||||
|
||||
libs_use_ld_so(amanda_recover_t)
|
||||
libs_use_shared_libs(amanda_recover_t)
|
||||
|
||||
logging_search_logs(amanda_recover_t)
|
||||
|
||||
miscfiles_read_localization(amanda_recover_t)
|
||||
|
||||
sysnet_read_config(amanda_recover_t)
|
||||
|
||||
userdom_search_sysadm_home_subdirs(amanda_recover_t)
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(amanda_recover_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(amanda_recover_t)
|
||||
')
|
|
@ -0,0 +1,19 @@
|
|||
|
||||
/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
|
||||
/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
|
||||
|
||||
/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
|
||||
|
||||
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
|
||||
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
|
||||
|
||||
/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
|
||||
/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
|
||||
/var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
|
||||
/var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
|
||||
/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
|
||||
/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0)
|
||||
/var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
|
||||
|
||||
/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
|
||||
/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0)
|
|
@ -0,0 +1,21 @@
|
|||
## <summary>RADIUS authentication and accounting server.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use radius over a UDP connection.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`radius_use',`
|
||||
gen_require(`
|
||||
type radius_t;
|
||||
')
|
||||
|
||||
allow $1 radiusd_t:udp_socket sendto;
|
||||
allow radiusd_t $1:udp_socket recvfrom;
|
||||
|
||||
allow radiusd_t $1:udp_socket sendto;
|
||||
allow $1 radiusd_t:udp_socket recvfrom;
|
||||
')
|
|
@ -0,0 +1,137 @@
|
|||
|
||||
policy_module(radius,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type radiusd_t;
|
||||
type radiusd_exec_t;
|
||||
init_daemon_domain(radiusd_t,radiusd_exec_t)
|
||||
|
||||
type radiusd_etc_t; #, usercanread;
|
||||
files_type(radiusd_etc_t)
|
||||
|
||||
type radiusd_log_t;
|
||||
logging_log_file(radiusd_log_t)
|
||||
|
||||
type radiusd_var_run_t;
|
||||
files_pid_file(radiusd_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
# fsetid is for gzip which needs it when run from scripts
|
||||
# gzip also needs chown access to preserve GID for radwtmp files
|
||||
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
|
||||
dontaudit radiusd_t self:capability sys_tty_config;
|
||||
allow radiusd_t self:process setsched;
|
||||
allow radiusd_t self:fifo_file rw_file_perms;
|
||||
allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow radiusd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow radiusd_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow radiusd_t radiusd_etc_t:file r_file_perms;
|
||||
allow radiusd_t radiusd_etc_t:dir r_dir_perms;
|
||||
allow radiusd_t radiusd_etc_t:lnk_file { getattr read };
|
||||
files_search_etc(radiusd_t)
|
||||
|
||||
allow radiusd_t radiusd_log_t:file create_file_perms;
|
||||
allow radiusd_t radiusd_log_t:dir { create rw_dir_perms };
|
||||
logging_create_log(radiusd_t,radiusd_log_t,{ file dir })
|
||||
|
||||
allow radiusd_t radiusd_var_run_t:file create_file_perms;
|
||||
allow radiusd_t radiusd_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(radiusd_t,radiusd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(radiusd_t)
|
||||
kernel_read_system_state(radiusd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(radiusd_t)
|
||||
corenet_udp_sendrecv_all_if(radiusd_t)
|
||||
corenet_raw_sendrecv_all_if(radiusd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(radiusd_t)
|
||||
corenet_udp_sendrecv_all_nodes(radiusd_t)
|
||||
corenet_raw_sendrecv_all_nodes(radiusd_t)
|
||||
corenet_tcp_bind_all_nodes(radiusd_t)
|
||||
corenet_udp_bind_all_nodes(radiusd_t)
|
||||
corenet_tcp_sendrecv_all_ports(radiusd_t)
|
||||
corenet_udp_sendrecv_all_ports(radiusd_t)
|
||||
corenet_udp_bind_radacct_port(radiusd_t)
|
||||
corenet_udp_bind_radius_port(radiusd_t)
|
||||
# for RADIUS proxy port
|
||||
corenet_udp_bind_generic_port(radiusd_t)
|
||||
|
||||
dev_read_sysfs(radiusd_t)
|
||||
|
||||
fs_getattr_all_fs(radiusd_t)
|
||||
fs_search_auto_mountpoints(radiusd_t)
|
||||
|
||||
term_dontaudit_use_console(radiusd_t)
|
||||
|
||||
auth_read_shadow(radiusd_t)
|
||||
|
||||
corecmd_exec_bin(radiusd_t)
|
||||
corecmd_exec_shell(radiusd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(radiusd_t)
|
||||
|
||||
files_read_usr_files(radiusd_t)
|
||||
files_read_etc_files(radiusd_t)
|
||||
files_read_etc_runtime_files(radiusd_t)
|
||||
|
||||
init_use_fd(radiusd_t)
|
||||
init_use_script_pty(radiusd_t)
|
||||
|
||||
libs_use_ld_so(radiusd_t)
|
||||
libs_use_shared_libs(radiusd_t)
|
||||
libs_exec_lib_files(radiusd_t)
|
||||
|
||||
logging_send_syslog_msg(radiusd_t)
|
||||
|
||||
miscfiles_read_localization(radiusd_t)
|
||||
|
||||
sysnet_read_config(radiusd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(radiusd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(radiusd_t)
|
||||
userdom_dontaudit_getattr_sysadm_home_dir(radiusd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(radiusd_t)
|
||||
term_dontaudit_use_generic_pty(radiusd_t)
|
||||
files_dontaudit_read_root_file(radiusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
cron_system_entry(radiusd_t,radiusd_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`logrotate.te', `
|
||||
logrotate_exec(radiusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(radiusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(radiusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`snmp.te',`
|
||||
snmp_use(radiusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(radiusd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(radiusd_t)
|
||||
')
|
||||
') dnl end TODO
|
|
@ -1 +1,19 @@
|
|||
## <summary>Simple network management protocol services</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use snmp over a TCP connection.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`snmp_use',`
|
||||
gen_require(`
|
||||
type snmpd_t;
|
||||
')
|
||||
|
||||
allow $1 snmpd_t:tcp_socket { connectto recvfrom };
|
||||
allow snmpd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
')
|
||||
|
|
|
@ -52,6 +52,7 @@ kernel_read_net_sysctl(snmpd_t)
|
|||
kernel_read_proc_symlinks(snmpd_t)
|
||||
kernel_read_system_state(snmpd_t)
|
||||
kernel_read_network_state(snmpd_t)
|
||||
kernel_tcp_recvfrom(snmpd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(snmpd_t)
|
||||
corenet_raw_sendrecv_all_if(snmpd_t)
|
||||
|
|
|
@ -1740,7 +1740,7 @@ interface(`userdom_rw_sysadm_pipe',`
|
|||
## home directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_getattr_sysadm_home_dir',`
|
||||
|
@ -1751,6 +1751,24 @@ interface(`userdom_getattr_sysadm_home_dir',`
|
|||
allow $1 sysadm_home_dir_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the
|
||||
## attributes of the sysadm users
|
||||
## home directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_getattr_sysadm_home_dir',`
|
||||
gen_require(`
|
||||
type sysadm_home_dir_t;
|
||||
')
|
||||
|
||||
dontaudit $1 sysadm_home_dir_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the sysadm users home directory.
|
||||
|
|
|
@ -235,6 +235,10 @@ ifdef(`targeted_policy',`
|
|||
quota_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`radius.te',`
|
||||
radius_use(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
|
Loading…
Reference in New Issue