policy_module(cvs, 1.13.0) ######################################## # # Declarations # ## ##

## Determine whether cvs can read shadow ## password files. ##

##
gen_tunable(allow_cvs_read_shadow, false) type cvs_t; type cvs_exec_t; inetd_tcp_service_domain(cvs_t, cvs_exec_t) init_daemon_domain(cvs_t, cvs_exec_t) application_executable_file(cvs_exec_t) type cvs_data_t; # customizable files_type(cvs_data_t) type cvs_initrc_exec_t; init_script_file(cvs_initrc_exec_t) type cvs_keytab_t; files_type(cvs_keytab_t) type cvs_tmp_t; files_tmp_file(cvs_tmp_t) type cvs_var_run_t; files_pid_file(cvs_var_run_t) ######################################## # # Local policy # allow cvs_t self:capability { setgid setuid }; allow cvs_t self:process signal_perms; allow cvs_t self:fifo_file rw_fifo_file_perms; allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cvs_t self:tcp_socket { accept listen }; manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t) allow cvs_t cvs_keytab_t:file read_file_perms; manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file }) manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t) files_pid_filetrans(cvs_t, cvs_var_run_t, file) kernel_read_kernel_sysctls(cvs_t) kernel_read_system_state(cvs_t) kernel_read_network_state(cvs_t) corenet_all_recvfrom_unlabeled(cvs_t) corenet_all_recvfrom_netlabel(cvs_t) corenet_tcp_sendrecv_generic_if(cvs_t) corenet_tcp_sendrecv_generic_node(cvs_t) corenet_sendrecv_cvs_server_packets(cvs_t) corenet_tcp_bind_cvs_port(cvs_t) corenet_tcp_sendrecv_cvs_port(cvs_t) corecmd_exec_bin(cvs_t) corecmd_exec_shell(cvs_t) dev_read_urand(cvs_t) files_read_etc_runtime_files(cvs_t) files_search_home(cvs_t) fs_getattr_xattr_fs(cvs_t) auth_domtrans_chk_passwd(cvs_t) auth_use_nsswitch(cvs_t) init_read_utmp(cvs_t) logging_send_syslog_msg(cvs_t) logging_send_audit_msgs(cvs_t) miscfiles_read_localization(cvs_t) userdom_dontaudit_search_user_home_dirs(cvs_t) # cjp: typeattribute doesnt work in conditionals yet auth_can_read_shadow_passwords(cvs_t) tunable_policy(`allow_cvs_read_shadow',` allow cvs_t self:capability dac_override; auth_tunable_read_shadow(cvs_t) ') optional_policy(` kerberos_read_config(cvs_t) kerberos_read_keytab(cvs_t) kerberos_use(cvs_t) kerberos_dontaudit_write_config(cvs_t) ') optional_policy(` mta_send_mail(cvs_t) ') ######################################## # # CVSWeb local policy # optional_policy(` apache_content_template(cvs) read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) ')