selinux-refpolicy/policy/modules/services/cvs.te

110 lines
2.4 KiB
Plaintext
Raw Normal View History

2005-09-20 18:49:13 +00:00
policy_module(cvs,1.3.1)
2005-09-20 18:49:13 +00:00
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow cvs daemon to read shadow
## </p>
## </desc>
gen_tunable(allow_cvs_read_shadow,false)
2005-09-20 18:49:13 +00:00
type cvs_t;
type cvs_exec_t;
inetd_tcp_service_domain(cvs_t,cvs_exec_t)
role system_r types cvs_t;
2006-03-23 16:07:26 +00:00
type cvs_data_t; # customizable
2005-09-20 18:49:13 +00:00
files_type(cvs_data_t)
type cvs_tmp_t;
files_tmp_file(cvs_tmp_t)
type cvs_var_run_t;
files_pid_file(cvs_var_run_t)
########################################
#
# Local policy
#
allow cvs_t self:process signal_perms;
2006-12-12 20:08:08 +00:00
allow cvs_t self:fifo_file rw_fifo_file_perms;
2005-09-20 18:49:13 +00:00
allow cvs_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cvs_t self:capability { setuid setgid };
2006-12-12 20:08:08 +00:00
manage_dirs_pattern(cvs_t,cvs_data_t,cvs_data_t)
manage_files_pattern(cvs_t,cvs_data_t,cvs_data_t)
manage_lnk_files_pattern(cvs_t,cvs_data_t,cvs_data_t,cvs_data_t)
2005-09-20 18:49:13 +00:00
2006-12-12 20:08:08 +00:00
manage_dirs_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t)
manage_files_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t)
2006-02-21 18:40:44 +00:00
files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir })
2005-09-20 18:49:13 +00:00
2006-12-12 20:08:08 +00:00
manage_files_pattern(cvs_t,cvs_var_run_t,cvs_var_run_t)
files_pid_filetrans(cvs_t,cvs_var_run_t,file)
2005-09-20 18:49:13 +00:00
kernel_read_kernel_sysctls(cvs_t)
2005-09-20 18:49:13 +00:00
kernel_read_system_state(cvs_t)
kernel_read_network_state(cvs_t)
2006-05-30 19:46:34 +00:00
corenet_non_ipsec_sendrecv(cvs_t)
2005-09-20 18:49:13 +00:00
corenet_tcp_sendrecv_all_if(cvs_t)
corenet_udp_sendrecv_all_if(cvs_t)
corenet_tcp_sendrecv_all_nodes(cvs_t)
corenet_udp_sendrecv_all_nodes(cvs_t)
corenet_tcp_sendrecv_all_ports(cvs_t)
corenet_udp_sendrecv_all_ports(cvs_t)
dev_read_urand(cvs_t)
fs_getattr_xattr_fs(cvs_t)
auth_domtrans_chk_passwd(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
files_read_etc_files(cvs_t)
files_read_etc_runtime_files(cvs_t)
# for identd; cjp: this should probably only be inetd_child rules?
files_search_home(cvs_t)
libs_use_ld_so(cvs_t)
libs_use_shared_libs(cvs_t)
logging_send_syslog_msg(cvs_t)
miscfiles_read_localization(cvs_t)
sysnet_read_config(cvs_t)
mta_send_mail(cvs_t)
2006-01-06 22:51:40 +00:00
# cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t)
tunable_policy(`allow_cvs_read_shadow',`
auth_tunable_read_shadow(cvs_t)
')
optional_policy(`
2005-09-20 18:49:13 +00:00
kerberos_use(cvs_t)
kerberos_read_keytab(cvs_t)
kerberos_read_config(cvs_t)
kerberos_dontaudit_write_config(cvs_t)
')
optional_policy(`
2005-09-20 18:49:13 +00:00
nis_use_ypbind(cvs_t)
')
optional_policy(`
2006-02-02 21:08:12 +00:00
nscd_socket_use(cvs_t)
2005-09-20 18:49:13 +00:00
')