From 6a2975706a7c8615dd92c861cb1b175b38c56a55 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 30 Apr 2007 17:39:01 +0000 Subject: [PATCH] add rwho from Nalin Dahyabhai --- Changelog | 2 + policy/modules/kernel/corenetwork.te.in | 3 +- policy/modules/services/rwho.fc | 3 ++ policy/modules/services/rwho.if | 1 + policy/modules/services/rwho.te | 60 +++++++++++++++++++++++++ 5 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 policy/modules/services/rwho.fc create mode 100644 policy/modules/services/rwho.if create mode 100644 policy/modules/services/rwho.te diff --git a/Changelog b/Changelog index 025aef17e..731e22dec 100644 --- a/Changelog +++ b/Changelog @@ -8,6 +8,8 @@ parties. - Fix clockspeed_run_cli() declaration, it was incorrectly defined as a template instead of an interface. +- Added modules: + rwho (Nalin Dahyabhai) * Tue Apr 17 2007 Chris PeBenito - 20070417 - Patch for sasl's use of kerberos from Dan Walsh. diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index c235aa682..c2c16724d 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.2.6) +policy_module(corenetwork,1.2.7) ######################################## # @@ -132,6 +132,7 @@ network_port(rndc, tcp,953,s0) network_port(router, udp,520,s0) network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) +network_port(rwho, udp,513,s0) network_port(smbd, tcp,139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) diff --git a/policy/modules/services/rwho.fc b/policy/modules/services/rwho.fc new file mode 100644 index 000000000..2d1f8ed62 --- /dev/null +++ b/policy/modules/services/rwho.fc @@ -0,0 +1,3 @@ +/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0) + +/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0) diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if new file mode 100644 index 000000000..d2d17a081 --- /dev/null +++ b/policy/modules/services/rwho.if @@ -0,0 +1 @@ +## Who is logged in on other machines? diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te new file mode 100644 index 000000000..ab2972948 --- /dev/null +++ b/policy/modules/services/rwho.te @@ -0,0 +1,60 @@ + +policy_module(rwho,1.0.0) + +######################################## +# +# Declarations +# + +type rwho_t; +type rwho_exec_t; +init_daemon_domain(rwho_t, rwho_exec_t) + +# var/spool files +type rwho_spool_t; +files_type(rwho_spool_t) + +######################################## +# +# rwho local policy +# + +allow rwho_t self:capability sys_chroot; +allow rwho_t self:unix_dgram_socket create; +allow rwho_t self:fifo_file rw_file_perms; +allow rwho_t self:unix_stream_socket create_stream_socket_perms; +allow rwho_t self:udp_socket create_socket_perms; + +# var/spool files for rwho +allow rwho_t rwho_spool_t:dir manage_dir_perms; +allow rwho_t rwho_spool_t:file manage_file_perms; +files_spool_filetrans(rwho_t,rwho_spool_t, { file dir }) + +kernel_read_system_state(rwho_t) + +corenet_non_ipsec_sendrecv(rwho_t) +corenet_udp_sendrecv_all_if(rwho_t) +corenet_udp_sendrecv_all_nodes(rwho_t) +corenet_udp_sendrecv_all_ports(rwho_t) +corenet_udp_bind_all_nodes(rwho_t) +corenet_udp_bind_rwho_port(rwho_t) +corenet_sendrecv_rwho_server_packets(rwho_t) + +domain_use_interactive_fds(rwho_t) + +files_read_etc_files(rwho_t) + +init_read_utmp(rwho_t) +init_dontaudit_write_utmp(rwho_t) + +libs_use_ld_so(rwho_t) +libs_use_shared_libs(rwho_t) + +miscfiles_read_localization(rwho_t) + +sysnet_dns_name_resolve(rwho_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys(rwho_t) + term_dontaudit_use_generic_ptys(rwho_t) +')