Vhostmd from Dan Walsh.

2010-03-29 11:25:06 -04:00 · 2010-03-29 11:25:06 -04:00 · 6d4dbd20ae
parent bf54d5be44
commit 6d4dbd20ae
4 changed files with 307 additions and 0 deletions
--- a/1
+++ b/1
@ -7,6 +7,7 @@
 	likewise (Scott Salley)
 	pyicqt (Stefan Schulze Frielinghaus)
 	sectoolm (Miroslav Grepl)
+	vhostmd (Dan Walsh)

 * Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
 - Add separate x_pointer and x_keyboard classes inheriting from x_device. 
--- a/policy/modules/services/vhostmd.fc
+++ b/policy/modules/services/vhostmd.fc
@ -0,0 +1,5 @@
+/etc/rc.d/init.d/vhostmd	--	gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0)
+
+/usr/sbin/vhostmd		--	gen_context(system_u:object_r:vhostmd_exec_t,s0)
+
+/var/run/vhostmd.pid		--	gen_context(system_u:object_r:vhostmd_var_run_t,s0)
--- a/policy/modules/services/vhostmd.if
+++ b/policy/modules/services/vhostmd.if
@ -0,0 +1,224 @@
+## <summary>Virtual host metrics daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run vhostmd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vhostmd_domtrans',`
+	gen_require(`
+		type vhostmd_t, vhostmd_exec_t;
+	')
+
+	domtrans_pattern($1, vhostmd_exec_t, vhostmd_t)
+')
+
+########################################
+## <summary>
+##	Execute vhostmd server in the vhostmd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_initrc_domtrans',`
+	gen_require(`
+		type vhostmd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, vhostmd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to read, vhostmd tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_read_tmpfs_files',`
+	gen_require(`
+		type vhostmd_tmpfs_t;
+	')
+
+	allow $1 vhostmd_tmpfs_t:file read_file_perms;
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read,
+##	vhostmd tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_dontaudit_read_tmpfs_files',`
+	gen_require(`
+		type vhostmd_tmpfs_t;
+	')
+
+	dontaudit $1 vhostmd_tmpfs_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Allow domain to read and write vhostmd tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_rw_tmpfs_files',`
+	gen_require(`
+		type vhostmd_tmpfs_t;
+	')
+
+	rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete vhostmd tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_manage_tmpfs_files',`
+	gen_require(`
+		type vhostmd_tmpfs_t;
+	')
+
+	manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Read vhostmd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_read_pid_files',`
+	gen_require(`
+		type vhostmd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 vhostmd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage vhostmd var_run files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_manage_pid_files',`
+	gen_require(`
+		type vhostmd_var_run_t;
+	')
+
+	 manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Connect to vhostmd over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_stream_connect',`
+	gen_require(`
+		type vhostmd_t, vhostmd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t)
+')
+
+#######################################
+## <summary>
+##	Dontaudit read and write to vhostmd
+##	over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vhostmd_dontaudit_rw_stream_connect',`
+	gen_require(`
+		type vhostmd_t;
+	')
+
+	dontaudit $1 vhostmd_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an vhostmd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vhostmd_admin',`
+	gen_require(`
+		type vhostmd_t, vhostmd_initrc_exec_t;
+	')
+
+	allow $1 vhostmd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, vhostmd_t)
+
+	vhostmd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 vhostmd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	vhostmd_manage_tmpfs_files($1)
+
+	vhostmd_manage_pid_files($1)
+
+')
--- a/policy/modules/services/vhostmd.te
+++ b/policy/modules/services/vhostmd.te
@ -0,0 +1,77 @@
+
+policy_module(vhostmd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vhostmd_t;
+type vhostmd_exec_t;
+init_daemon_domain(vhostmd_t, vhostmd_exec_t)
+
+type vhostmd_initrc_exec_t;
+init_script_file(vhostmd_initrc_exec_t)
+
+type vhostmd_tmpfs_t;
+files_tmpfs_file(vhostmd_tmpfs_t)
+
+type vhostmd_var_run_t;
+files_pid_file(vhostmd_var_run_t)
+
+########################################
+#
+# vhostmd local policy
+#
+
+allow vhostmd_t self:capability { dac_override ipc_lock	setuid setgid };
+allow vhostmd_t self:process { setsched getsched };
+allow vhostmd_t self:fifo_file rw_file_perms;
+
+manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir })
+
+manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir })
+
+kernel_read_system_state(vhostmd_t)
+kernel_read_network_state(vhostmd_t)
+kernel_write_xen_state(vhostmd_t)
+
+corecmd_exec_bin(vhostmd_t)
+corecmd_exec_shell(vhostmd_t)
+
+corenet_tcp_connect_soundd_port(vhostmd_t)
+
+files_read_etc_files(vhostmd_t)
+files_read_usr_files(vhostmd_t)
+
+dev_read_sysfs(vhostmd_t)
+
+auth_use_nsswitch(vhostmd_t)
+
+logging_send_syslog_msg(vhostmd_t)
+
+miscfiles_read_localization(vhostmd_t)
+
+optional_policy(`
+	hostname_exec(vhostmd_t)
+')
+
+optional_policy(`
+	rpm_exec(vhostmd_t)
+	rpm_read_db(vhostmd_t)
+')
+
+optional_policy(`
+	virt_stream_connect(vhostmd_t)
+')
+
+optional_policy(`
+	xen_domtrans_xm(vhostmd_t)
+	xen_stream_connect(vhostmd_t)
+	xen_stream_connect_xenstore(vhostmd_t)
+	xen_stream_connect_xm(vhostmd_t)
+')