Commit Graph

31 Commits

Author SHA1 Message Date
Chris PeBenito 68c8f3fc19 Fix whitespace issue in bacula sysadm patch. 2012-03-30 08:49:27 -04:00
Sven Vermeulen fdacc6e744 Allow sysadm to call bacula client
This patch allows the sysadmin to run the bacula admin client.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-03-30 08:48:39 -04:00
Chris PeBenito f65edd8280 Bump module versions for release. 2012-02-15 14:32:45 -05:00
Chris PeBenito 4d91cc95c7 Module version bump and Changelog for asterisk admin updates from Sven Vermeulen. 2011-10-25 09:43:13 -04:00
Sven Vermeulen ecf83667ab Allow sysadm to interact with asterisk
When administering asterisk, one often ran command is "asterisk -r"
which yields the asterisk CLI (when the asterisk server is running). To
be able to run this, you need asterisk_stream_connect privileges.

Assign these privileges to the sysadm_r

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-10-25 09:40:12 -04:00
Sven Vermeulen c94b5e3d18 Allow sysadm_t to call all portage related services
The system administrator (in sysadm_t) is the only "user" domain that is
allowed to call portage-related services. So it also gains the privilege
to execute portage tree management functions (and as such transition to
portage_fetch_t).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-14 12:33:07 -04:00
Chris PeBenito f07bc3f973 Module version and changelog for openrc and portage updates from Sven Vermeulen. 2011-09-06 14:02:12 -04:00
Chris PeBenito ca4d39d31c Rename init_rc_exec() to init_exec_rc(). 2011-09-06 13:58:04 -04:00
Sven Vermeulen 706d503e5b Allow the sysadm domain to execute rc
The /sbin/rc binary is used by the system administrator to manage
runlevels (add/delete), check runlevel state, etc. all which do not
require a transition to occur. Hence the /sbin/rc (now labeled
rc_exec_t) is allowed to be executed without transitioning.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-06 13:22:44 -04:00
Chris PeBenito 102f084d96 New git service features from Dominick Grift.
* git user sessions
* repositories on CIFS/NFS
* inetd service
2011-09-02 09:20:23 -04:00
Chris PeBenito aa4dad379b Module version bump for release. 2011-07-26 08:11:01 -04:00
Chris PeBenito d5048bc791 Module version bump for raid run interface. 2011-05-04 09:09:08 -04:00
Sven Vermeulen 681831da06 system admin needs to use mdadm, but type is not allowed
After a quick discussion with dominique, new attempt due to two issues:

1. No need (or even forbidden) to have "role $1 types foo_exec_t"
2. Suggestion to use the raid_run_mdadm name instead of raid_mdadm_role. The
   idea here is to use raid_mdadm_role for prefixed domains (cfr. screen)
   whereas raid_run_mdadm is to transition and run into a specific domain

Without wanting to (re?)start any discussion on prefixed versus non-prefixed
domains, such a naming convention could help us to keep the reference policy
cleaner (and naming conventions easy).

Also, refpolicy InterfaceNaming document only talks about run, not role.

So, without much further ado... ;-)

  The system administrator (sysadm_r role) needs to use mdadm, but is not
  allowed to use the mdadm_t type.

  Rather than extend raid_domtrans_mdadm to allow this as well, use a
  raid_mdadm_role (a bit more conform other role usages).

  The other users of raid_domtrans_mdadm are all domains that run in system_r
  role, which does have this type allowed (as per the system/raid.te
  definition), so it wouldn't hurt to use raid_domtrans_mdadm for this.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-05-02 12:54:03 -04:00
Harry Ciao b2f8897d9c Add support for the samhain program.
Note, extra privileges may need to be granted to the samhain domain
if its default configuration file(/etc/samhainrc) is changed.

The samhain program could be used in the following way:

(In secadm_r role)
1. Initialize filesystem signature database:
newrole -l s15:c0.c1023 -p -- -c "samhain -t init"

(Note, the current secadm console will be blocked until
the database is completed)

2. Start samhain deamon to check filesystem integrity
newrole -l s15:c0.c1023 -p -- -c "samhain -t check -D"

3. Update filesystem signature database:
newrole -l s15:c0.c1023 -p -- -c "samhain -t update"

(In sysadm_r role)
1. Start samhain in daemon mode:
run_init /etc/init.d/samhain start

2. Stop samhain daemon:
run_init /etc/init.d/samhain stop

3. Check samhain daemon status:
run_init /etc/init.d/samhain status

4. Read/write samhain log files:
newrole -l s15:c0.c1023 -p -- -c "cat /var/log/samhain_log"

5. Remove samhain database files
newrole -l s15:c0.c1023 -p -- -c "rm /var/lib/samhain/samhain_file"

Note:
1. Stop samhain daemon before updating signature database.
2. Don't try to start samhain daemon twice.
3. Need to toggle SELinux into the Permissive mode in order to remove
   the samhain_log files from /var/log/.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-12-15 10:57:12 -05:00
Chris PeBenito 826d014241 Bump module versions for release. 2010-12-13 09:12:22 -05:00
Chris PeBenito 6df9de4947 Module version bump for vlock. Changelog entry. 2010-11-01 11:22:25 -04:00
Chris PeBenito 7f9f5bce63 Rename vlock interfaces. 2010-11-01 11:22:07 -04:00
Harry Ciao d35e2ee03b Adding support for the vlock program.
Both the system administrator and the unprivileged user could use vlock
to lock the current console when logging in either from the serial console
or by ssh.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-11-01 10:43:33 -04:00
Chris PeBenito 641ac05468 Hadoop cleanup and module version bump.
* a pass cleaning up the style.
* adjusted some regular expressions in the file contexts: .* is the same as (.*)? since * means 0 or more matches.
* renamed a few interfaces
* two rules that I dropped as they require further explanation

> +files_read_all_files(hadoop_t)

A very big privilege.

and

> +fs_associate(hadoop_tasktracker_t)

This is a domain, so the only files with this type should be the /proc/pid ones, which don't require associate permissions.
2010-10-07 10:57:55 -04:00
Paul Nuzzi bc71a042d8 hadoop 1/10 -- unconfined
On 10/04/2010 02:18 PM, Christopher J. PeBenito wrote:
> On 10/04/10 13:15, Paul Nuzzi wrote:
>> On 10/01/2010 01:56 PM, Christopher J. PeBenito wrote:
>>> On 10/01/10 11:17, Paul Nuzzi wrote:
>>>> On 10/01/2010 08:02 AM, Dominick Grift wrote:
>>>>> On Thu, Sep 30, 2010 at 03:39:40PM -0400, Paul Nuzzi wrote:
>>>>>> I updated the patch based on recommendations from the mailing list.
>>>>>> All of hadoop's services are included in one module instead of
>>>>>> individual ones.  Unconfined and sysadm roles are given access to
>>>>>> hadoop and zookeeper client domain transitions. The services are started
>>>>>> using run_init.  Let me know what you think.
>>>>>
>>>>> Why do some hadoop domain need to manage generic tmp?
>>>>>
>>>>> files_manage_generic_tmp_dirs(zookeeper_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_t)
>>>>
>>>> This has to be done for Java JMX to work.  All of the files are written to
>>>> /tmp/hsperfdata_(hadoop/zookeeper). /tmp/hsperfdata_ is labeled tmp_t while
>>>> all the files for each service are labeled with hadoop_*_tmp_t.  The first service
>>>> will end up owning the directory if it is not labeled tmp_t.
>>>
>>> The hsperfdata dir in /tmp certainly the bane of policy writers.  Based on a quick look through the policy, it looks like the only dir they create in /tmp is this hsperfdata dir.  I suggest you do something like
>>>
>>> files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir)
>>> files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir)
>>>
>>> filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, file)
>>> filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file)
>>>
>>
>> That looks like a better way to handle the tmp_t problem.
>>
>> I changed the patch with your comments.  Hopefully this will be one of the last updates.
>> Tested on a CDH3 cluster as a module without any problems.
>
> There are several little issues with style, but it'll be easier just to fix them when its committed.
>
> Other comments inline.
>

I did my best locking down the ports hadoop uses.  Unfortunately the services use high, randomized ports making
tcp_connect_generic_port a must have.  Hopefully one day hadoop will settle on static ports.  I added hadoop_datanode port 50010 since it is important to lock down that service.  I changed the patch based on the rest of the comments.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
2010-10-07 08:07:16 -04:00
Chris PeBenito e29f6bf08a Module version bump and Changelog for 329138b and 413aac1. 2010-10-01 09:50:50 -04:00
Dominick Grift 329138beba Move oident manage and relabel home content interfaces to common user template.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-01 09:41:12 -04:00
Jeremy Solt c87e150280 roles patch from Dan Walsh to move unwanted interface calls into a ifndef 2010-08-09 09:20:31 -04:00
Chris PeBenito 08690c84ad Remove ethereal module since the application was renamed to wireshark due to trademark issues. 2010-07-07 09:31:57 -04:00
Chris PeBenito 48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito 9570b28801 module version number bump for release 2.20090730 that was mistakenly omitted. 2009-08-05 10:59:21 -04:00
Chris PeBenito 64daa85393 trunk: add sysadm_entry_spec_domtrans_to() interface from clip. 2009-01-15 15:07:37 +00:00
Chris PeBenito 296273a719 trunk: merge UBAC. 2008-11-05 16:10:46 +00:00
Chris PeBenito 0bfccda4e8 trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00
Chris PeBenito b34db7a8ec trunk: another pile of misc fixes. 2008-05-22 15:24:52 +00:00
Chris PeBenito e9c6cda7da trunk: Move user roles into individual modules. 2008-04-29 13:58:34 +00:00