Commit Graph

64 Commits

Author SHA1 Message Date
Chris PeBenito 3516535aa6 Bump module versions for release. 2012-07-25 14:33:06 -04:00
Chris PeBenito b72101a116 Module version bump and changelog for non-auth file attribute to eliminate set expressions, from James Carter. 2012-05-04 09:14:00 -04:00
James Carter 624e73955d Changed non-contrib policy to use the new non_auth_file_type interfaces
Replaced calls to interfaces allowing access to all files except
auth_file_type files with calls to interfaces allowing access to
non_auth_file_type files.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2012-05-04 08:47:49 -04:00
Chris PeBenito 2e83467903 Module version bump and changelog for virt updates from Sven Vermeulen. 2012-04-23 10:43:15 -04:00
Sven Vermeulen e842434336 Calling virsh requires stream_connect rights towards virt
When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
administrator).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-23 10:22:55 -04:00
Chris PeBenito fbb165b989 Module version bump and changelog for bacula. 2012-03-30 09:43:13 -04:00
Chris PeBenito 68c8f3fc19 Fix whitespace issue in bacula sysadm patch. 2012-03-30 08:49:27 -04:00
Sven Vermeulen fdacc6e744 Allow sysadm to call bacula client
This patch allows the sysadmin to run the bacula admin client.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-03-30 08:48:39 -04:00
Chris PeBenito f65edd8280 Bump module versions for release. 2012-02-15 14:32:45 -05:00
Chris PeBenito 4d91cc95c7 Module version bump and Changelog for asterisk admin updates from Sven Vermeulen. 2011-10-25 09:43:13 -04:00
Sven Vermeulen ecf83667ab Allow sysadm to interact with asterisk
When administering asterisk, one often ran command is "asterisk -r"
which yields the asterisk CLI (when the asterisk server is running). To
be able to run this, you need asterisk_stream_connect privileges.

Assign these privileges to the sysadm_r

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-10-25 09:40:12 -04:00
Sven Vermeulen c94b5e3d18 Allow sysadm_t to call all portage related services
The system administrator (in sysadm_t) is the only "user" domain that is
allowed to call portage-related services. So it also gains the privilege
to execute portage tree management functions (and as such transition to
portage_fetch_t).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-14 12:33:07 -04:00
Chris PeBenito 09248fa0db Move modules to contrib submodule. 2011-09-09 10:10:03 -04:00
Chris PeBenito f07bc3f973 Module version and changelog for openrc and portage updates from Sven Vermeulen. 2011-09-06 14:02:12 -04:00
Chris PeBenito ca4d39d31c Rename init_rc_exec() to init_exec_rc(). 2011-09-06 13:58:04 -04:00
Sven Vermeulen 706d503e5b Allow the sysadm domain to execute rc
The /sbin/rc binary is used by the system administrator to manage
runlevels (add/delete), check runlevel state, etc. all which do not
require a transition to occur. Hence the /sbin/rc (now labeled
rc_exec_t) is allowed to be executed without transitioning.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-06 13:22:44 -04:00
Chris PeBenito c7c9e0e04d Whitespace fix in unprivuser. 2011-09-02 09:20:54 -04:00
Chris PeBenito 102f084d96 New git service features from Dominick Grift.
* git user sessions
* repositories on CIFS/NFS
* inetd service
2011-09-02 09:20:23 -04:00
Chris PeBenito 8b3c840804 Whitespace fix in unprivuser. 2011-07-29 08:50:24 -04:00
Chris PeBenito aa4dad379b Module version bump for release. 2011-07-26 08:11:01 -04:00
Chris PeBenito a29c7b86e1 Module version bump and Changelog for auth file patches from Matthew Ife. 2011-07-18 13:48:05 -04:00
Matthew Ife 4ff4e1c505 Replace deprecated *_except_shadow macro calls with *_except_auth_files calls. 2011-07-18 13:40:38 -04:00
Chris PeBenito d5048bc791 Module version bump for raid run interface. 2011-05-04 09:09:08 -04:00
Sven Vermeulen 681831da06 system admin needs to use mdadm, but type is not allowed
After a quick discussion with dominique, new attempt due to two issues:

1. No need (or even forbidden) to have "role $1 types foo_exec_t"
2. Suggestion to use the raid_run_mdadm name instead of raid_mdadm_role. The
   idea here is to use raid_mdadm_role for prefixed domains (cfr. screen)
   whereas raid_run_mdadm is to transition and run into a specific domain

Without wanting to (re?)start any discussion on prefixed versus non-prefixed
domains, such a naming convention could help us to keep the reference policy
cleaner (and naming conventions easy).

Also, refpolicy InterfaceNaming document only talks about run, not role.

So, without much further ado... ;-)

  The system administrator (sysadm_r role) needs to use mdadm, but is not
  allowed to use the mdadm_t type.

  Rather than extend raid_domtrans_mdadm to allow this as well, use a
  raid_mdadm_role (a bit more conform other role usages).

  The other users of raid_domtrans_mdadm are all domains that run in system_r
  role, which does have this type allowed (as per the system/raid.te
  definition), so it wouldn't hurt to use raid_domtrans_mdadm for this.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-05-02 12:54:03 -04:00
Paul Nuzzi fcb67e8cef hadoop: update to CDH3
On 12/15/2010 03:17 PM, Christopher J. PeBenito wrote:
> On 12/13/10 10:39, Paul Nuzzi wrote:
>> On 12/11/2010 04:01 AM, Dominick Grift wrote:
>> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>>
>> Does hadoop depend on kerberos? If no then kerberos_use should probably
>> be optional.
>>
>>
>>> The new version of hadoop added Kerberos for authentication.
>
> So, to be explicit, its an unconditional requirement?

Yes.  I think all future versions of hadoop will be kerberos enabled.

> It seems like there should be a hadoop_home_t that is
> userdom_user_home_content()

Updated.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
2011-01-05 09:35:40 -05:00
Harry Ciao b2f8897d9c Add support for the samhain program.
Note, extra privileges may need to be granted to the samhain domain
if its default configuration file(/etc/samhainrc) is changed.

The samhain program could be used in the following way:

(In secadm_r role)
1. Initialize filesystem signature database:
newrole -l s15:c0.c1023 -p -- -c "samhain -t init"

(Note, the current secadm console will be blocked until
the database is completed)

2. Start samhain deamon to check filesystem integrity
newrole -l s15:c0.c1023 -p -- -c "samhain -t check -D"

3. Update filesystem signature database:
newrole -l s15:c0.c1023 -p -- -c "samhain -t update"

(In sysadm_r role)
1. Start samhain in daemon mode:
run_init /etc/init.d/samhain start

2. Stop samhain daemon:
run_init /etc/init.d/samhain stop

3. Check samhain daemon status:
run_init /etc/init.d/samhain status

4. Read/write samhain log files:
newrole -l s15:c0.c1023 -p -- -c "cat /var/log/samhain_log"

5. Remove samhain database files
newrole -l s15:c0.c1023 -p -- -c "rm /var/lib/samhain/samhain_file"

Note:
1. Stop samhain daemon before updating signature database.
2. Don't try to start samhain daemon twice.
3. Need to toggle SELinux into the Permissive mode in order to remove
   the samhain_log files from /var/log/.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-12-15 10:57:12 -05:00
Chris PeBenito 826d014241 Bump module versions for release. 2010-12-13 09:12:22 -05:00
Chris PeBenito 65ac69dd0e Whitespace fix in secadm.te and auditadm.te. 2010-11-02 09:09:05 -04:00
Harry Ciao 20cce006fa Make auditadm & secadm able to use vlock
Make the auditadm and secadm able to use the vlock program.
Also bump their module versions.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-11-02 09:06:13 -04:00
Chris PeBenito 6df9de4947 Module version bump for vlock. Changelog entry. 2010-11-01 11:22:25 -04:00
Chris PeBenito 7f9f5bce63 Rename vlock interfaces. 2010-11-01 11:22:07 -04:00
Harry Ciao d35e2ee03b Adding support for the vlock program.
Both the system administrator and the unprivileged user could use vlock
to lock the current console when logging in either from the serial console
or by ssh.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-11-01 10:43:33 -04:00
Chris PeBenito 641ac05468 Hadoop cleanup and module version bump.
* a pass cleaning up the style.
* adjusted some regular expressions in the file contexts: .* is the same as (.*)? since * means 0 or more matches.
* renamed a few interfaces
* two rules that I dropped as they require further explanation

> +files_read_all_files(hadoop_t)

A very big privilege.

and

> +fs_associate(hadoop_tasktracker_t)

This is a domain, so the only files with this type should be the /proc/pid ones, which don't require associate permissions.
2010-10-07 10:57:55 -04:00
Paul Nuzzi bc71a042d8 hadoop 1/10 -- unconfined
On 10/04/2010 02:18 PM, Christopher J. PeBenito wrote:
> On 10/04/10 13:15, Paul Nuzzi wrote:
>> On 10/01/2010 01:56 PM, Christopher J. PeBenito wrote:
>>> On 10/01/10 11:17, Paul Nuzzi wrote:
>>>> On 10/01/2010 08:02 AM, Dominick Grift wrote:
>>>>> On Thu, Sep 30, 2010 at 03:39:40PM -0400, Paul Nuzzi wrote:
>>>>>> I updated the patch based on recommendations from the mailing list.
>>>>>> All of hadoop's services are included in one module instead of
>>>>>> individual ones.  Unconfined and sysadm roles are given access to
>>>>>> hadoop and zookeeper client domain transitions. The services are started
>>>>>> using run_init.  Let me know what you think.
>>>>>
>>>>> Why do some hadoop domain need to manage generic tmp?
>>>>>
>>>>> files_manage_generic_tmp_dirs(zookeeper_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_t)
>>>>
>>>> This has to be done for Java JMX to work.  All of the files are written to
>>>> /tmp/hsperfdata_(hadoop/zookeeper). /tmp/hsperfdata_ is labeled tmp_t while
>>>> all the files for each service are labeled with hadoop_*_tmp_t.  The first service
>>>> will end up owning the directory if it is not labeled tmp_t.
>>>
>>> The hsperfdata dir in /tmp certainly the bane of policy writers.  Based on a quick look through the policy, it looks like the only dir they create in /tmp is this hsperfdata dir.  I suggest you do something like
>>>
>>> files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir)
>>> files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir)
>>>
>>> filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, file)
>>> filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file)
>>>
>>
>> That looks like a better way to handle the tmp_t problem.
>>
>> I changed the patch with your comments.  Hopefully this will be one of the last updates.
>> Tested on a CDH3 cluster as a module without any problems.
>
> There are several little issues with style, but it'll be easier just to fix them when its committed.
>
> Other comments inline.
>

I did my best locking down the ports hadoop uses.  Unfortunately the services use high, randomized ports making
tcp_connect_generic_port a must have.  Hopefully one day hadoop will settle on static ports.  I added hadoop_datanode port 50010 since it is important to lock down that service.  I changed the patch based on the rest of the comments.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
2010-10-07 08:07:16 -04:00
Chris PeBenito e29f6bf08a Module version bump and Changelog for 329138b and 413aac1. 2010-10-01 09:50:50 -04:00
Dominick Grift 329138beba Move oident manage and relabel home content interfaces to common user template.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-01 09:41:12 -04:00
Chris PeBenito 25d796ed37 Unconditional staff and user oidentd home config access from Dominick Grift. 2010-09-15 08:20:16 -04:00
Dominick Grift 941e3db567 Access for confined users to oidentd user home content is unconditional.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 08:05:41 -04:00
Chris PeBenito c62f1bef77 Dbadm updates from KaiGai Kohei. 2010-08-19 08:41:39 -04:00
Jeremy Solt c87e150280 roles patch from Dan Walsh to move unwanted interface calls into a ifndef 2010-08-09 09:20:31 -04:00
Chris PeBenito 08690c84ad Remove ethereal module since the application was renamed to wireshark due to trademark issues. 2010-07-07 09:31:57 -04:00
Chris PeBenito cad4224e8e Guest patch from Dan Walsh.
Dominic asked to remove mono and java from guest_t
2010-07-06 08:35:56 -04:00
Chris PeBenito 48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito 29af4c13e7 Bump module versions for release. 2010-05-24 15:32:01 -04:00
Chris PeBenito 09b92dcc3c Guest patch from Dan Walsh. 2010-03-05 14:09:49 -05:00
Jeremy Solt 6a9ef9e852 gen_require typo fix in dbadm.if from Dan Walsh 2010-03-04 09:18:03 -05:00
Chris PeBenito c06a4452e2 Xguest patch from Dan Walsh. 2010-02-17 09:23:17 -05:00
Chris PeBenito 22a2874dbf Add dbadm, from KaiGai Kohei. 2010-02-08 10:34:08 -05:00
Chris PeBenito 9570b28801 module version number bump for release 2.20090730 that was mistakenly omitted. 2009-08-05 10:59:21 -04:00
Chris PeBenito 4be3e11094 pull in apache_admin() from fedora 2009-07-28 13:24:08 -04:00