nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8cf4002a34
selinux-refpolicy/policy/modules/services/memcached.if
Stephen Smalley 161bda392e access_vectors: Remove unused permissions 
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0.  Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.

The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162

Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }

Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 13:41:50 -05:00

131 lines
2.7 KiB
Plaintext
Raw Blame History

## <summary>High-performance memory object caching system.</summary>
########################################
## <summary>
## Execute a domain transition to run memcached.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`memcached_domtrans',`
gen_require(`
type memcached_t,memcached_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, memcached_exec_t, memcached_t)
')
########################################
## <summary>
## Create, read, write, and delete
## memcached pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`memcached_manage_pid_files',`
gen_require(`
type memcached_runtime_t;
')
files_search_pids($1)
manage_files_pattern($1, memcached_runtime_t, memcached_runtime_t)
')
########################################
## <summary>
## Read memcached pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`memcached_read_pid_files',`
gen_require(`
type memcached_runtime_t;
')
files_search_pids($1)
allow $1 memcached_runtime_t:file read_file_perms;
')
########################################
## <summary>
## Connect to memcached using a unix
## domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`memcached_stream_connect',`
gen_require(`
type memcached_t, memcached_runtime_t;
')
files_search_pids($1)
stream_connect_pattern($1, memcached_runtime_t, memcached_runtime_t, memcached_t)
')
########################################
## <summary>
## Connect to memcache over the network.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`memcached_tcp_connect',`
gen_require(`
type memcached_t;
')
corenet_sendrecv_memcache_client_packets($1)
corenet_tcp_connect_memcache_port($1)
corenet_tcp_recvfrom_labeled($1, memcached_t)
')
########################################
## <summary>
## All of the rules required to
## administrate an memcached environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`memcached_admin',`
gen_require(`
type memcached_t, memcached_initrc_exec_t, memcached_runtime_t;
')
allow $1 memcached_t:process { ptrace signal_perms };
ps_process_pattern($1, memcached_t)
init_startstop_service($1, $2, memcached_t, memcached_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, memcached_runtime_t)
')
Reference in New Issue View Git Blame Copy Permalink