misc network patches with Dominick's changes*2
I think this one is good for merging now. Signed-off-by: Russell Coker <russell@coker.com.au>
This commit is contained in:
parent
621baf7752
commit
ac5b8737fd
|
@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_socket_perms;
|
|||
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
|
||||
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
|
||||
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow ping_t self:icmp_socket create;
|
||||
|
||||
corenet_all_recvfrom_netlabel(ping_t)
|
||||
corenet_sendrecv_icmp_packets(ping_t)
|
||||
|
@ -156,13 +157,14 @@ allow traceroute_t self:capability { net_admin net_raw setgid setuid };
|
|||
allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
|
||||
allow traceroute_t self:process signal;
|
||||
allow traceroute_t self:rawip_socket create_socket_perms;
|
||||
allow traceroute_t self:packet_socket create_socket_perms;
|
||||
allow traceroute_t self:packet_socket { map create_socket_perms };
|
||||
allow traceroute_t self:udp_socket create_socket_perms;
|
||||
|
||||
can_exec(traceroute_t, traceroute_exec_t)
|
||||
|
||||
kernel_read_system_state(traceroute_t)
|
||||
kernel_read_network_state(traceroute_t)
|
||||
kernel_search_fs_sysctls(traceroute_t)
|
||||
|
||||
corecmd_search_bin(traceroute_t)
|
||||
|
||||
|
@ -197,6 +199,7 @@ auth_use_nsswitch(traceroute_t)
|
|||
|
||||
logging_send_syslog_msg(traceroute_t)
|
||||
|
||||
miscfiles_read_generic_certs(traceroute_t)
|
||||
miscfiles_read_localization(traceroute_t)
|
||||
|
||||
userdom_use_inherited_user_terminals(traceroute_t)
|
||||
|
|
|
@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_milter_t)
|
|||
|
||||
corenet_udp_bind_generic_node(dkim_milter_t)
|
||||
corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
|
||||
corenet_udp_bind_generic_port(dkim_milter_t)
|
||||
|
||||
dev_read_urand(dkim_milter_t)
|
||||
# for cpu/online
|
||||
|
|
|
@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t)
|
|||
dev_read_urand(mailman_cgi_t)
|
||||
|
||||
files_search_locks(mailman_cgi_t)
|
||||
files_read_usr_files(mailman_cgi_t)
|
||||
|
||||
term_use_controlling_term(mailman_cgi_t)
|
||||
|
||||
|
|
|
@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
|
|||
manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
|
||||
files_runtime_filetrans(mon_t, mon_runtime_t, file)
|
||||
|
||||
# to read fips_enabled
|
||||
kernel_read_crypto_sysctls(mon_t)
|
||||
|
||||
kernel_read_kernel_sysctls(mon_t)
|
||||
kernel_read_network_state(mon_t)
|
||||
kernel_read_system_state(mon_t)
|
||||
|
|
|
@ -729,3 +729,79 @@ interface(`samba_admin',`
|
|||
files_list_tmp($1)
|
||||
admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## start samba daemon
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`samba_start',`
|
||||
gen_require(`
|
||||
type samba_unit_t;
|
||||
')
|
||||
|
||||
allow $1 samba_unit_t:file getattr;
|
||||
allow $1 samba_unit_t:service start;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## stop samba daemon
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`samba_stop',`
|
||||
gen_require(`
|
||||
type samba_unit_t;
|
||||
')
|
||||
|
||||
allow $1 samba_unit_t:file getattr;
|
||||
allow $1 samba_unit_t:service stop;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## get status of samba daemon
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`samba_status',`
|
||||
gen_require(`
|
||||
type samba_unit_t;
|
||||
')
|
||||
|
||||
allow $1 samba_unit_t:file getattr;
|
||||
allow $1 samba_unit_t:service status;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## reload samba daemon
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`samba_reload',`
|
||||
gen_require(`
|
||||
type samba_unit_t;
|
||||
')
|
||||
|
||||
allow $1 samba_unit_t:file getattr;
|
||||
allow $1 samba_unit_t:service reload;
|
||||
')
|
||||
|
|
|
@ -27,6 +27,7 @@ ifdef(`distro_debian',`
|
|||
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
|
||||
/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/tor/torsocks\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
|
|
|
@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.5)
|
|||
# Declarations
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Determine whether DHCP client
|
||||
## can manage samba
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(dhcpc_manage_samba, false)
|
||||
|
||||
attribute_role dhcpc_roles;
|
||||
roleattribute system_r dhcpc_roles;
|
||||
|
||||
|
@ -174,6 +182,18 @@ ifdef(`init_systemd',`
|
|||
init_search_units(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tunable_policy(`dhcpc_manage_samba',`
|
||||
samba_manage_var_files(dhcpc_t)
|
||||
init_exec_script_files(dhcpc_t)
|
||||
init_get_system_status(dhcpc_t)
|
||||
samba_stop(dhcpc_t)
|
||||
samba_start(dhcpc_t)
|
||||
samba_reload(dhcpc_t)
|
||||
samba_status(dhcpc_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
avahi_domtrans(dhcpc_t)
|
||||
')
|
||||
|
|
Loading…
Reference in New Issue