RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-11 07:40:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

apache, mysql, postgrey, samba, squid: Apply new mmap_manage_files_pattern().

Browse Source 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This commit is contained in:
Chris PeBenito 2021-01-28 10:53:04 -05:00
parent c4150cd0a5
commit 982cb068c2
6 changed files with 16 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
policy/modules/services/apache.if
View File

@ -70,8 +70,7 @@ template(`apache_content_template',`
allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) mmap_manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@ -1007,8 +1006,7 @@ interface(`apache_manage_sys_rw_content',`
apache_search_sys_content($1) apache_search_sys_content($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) mmap_manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
allow $1 httpd_sys_rw_content_t:file map;
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
') ')

15
policy/modules/services/apache.te
View File

@ -378,10 +378,9 @@ allow httpd_t self:unix_stream_socket { accept connectto listen };
allow httpd_t self:tcp_socket { accept listen }; allow httpd_t self:tcp_socket { accept listen };
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) mmap_manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
files_var_filetrans(httpd_t, httpd_cache_t, dir) files_var_filetrans(httpd_t, httpd_cache_t, dir)
allow httpd_t httpd_cache_t:file map;
allow httpd_t httpd_config_t:dir list_dir_perms; allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
@ -415,9 +414,8 @@ read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
allow httpd_t httpd_rotatelogs_t:process signal_perms; allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) mmap_manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
allow httpd_t httpd_squirrelmail_t:file map;
allow httpd_t httpd_suexec_exec_t:file read_file_perms; allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@ -441,8 +439,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) mmap_manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
allow httpd_t httpd_var_lib_t:file map;
manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
@ -622,8 +619,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent) mmap_manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
allow httpd_t httpdcontent:file map;
manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent) manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent) manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
@ -908,8 +904,7 @@ optional_policy(`
# Helper local policy # Helper local policy
# #
read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) mmap_read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
allow httpd_t httpd_config_t:file map;
append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)

6
policy/modules/services/mysql.te
View File

@ -74,8 +74,7 @@ allow mysqld_t self:unix_stream_socket { connectto accept listen };
allow mysqld_t self:tcp_socket { accept listen }; allow mysqld_t self:tcp_socket { accept listen };
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
allow mysqld_t mysqld_db_t:file map;
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
@ -91,8 +90,7 @@ manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) mmap_manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
allow mysqld_t mysqld_tmp_t:file map;
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t) manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)

3
policy/modules/services/postgrey.te
View File

@ -46,8 +46,7 @@ manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) mmap_manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
allow postgrey_t postgrey_var_lib_t:file map;
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t) manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)

15
policy/modules/services/samba.te
View File

@ -217,8 +217,7 @@ manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t)
files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) mmap_manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
allow samba_net_t samba_var_t:file map;
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
@ -303,8 +302,7 @@ manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
allow smbd_t samba_share_t:filesystem { getattr quotaget }; allow smbd_t samba_share_t:filesystem { getattr quotaget };
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t) mmap_manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
allow smbd_t samba_var_t:file map;
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba") files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@ -314,8 +312,7 @@ manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t) manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) mmap_manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
allow smbd_t samba_runtime_t:file map;
manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file }) files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })
@ -530,8 +527,7 @@ allow nmbd_t self:unix_dgram_socket sendto;
allow nmbd_t self:unix_stream_socket { accept connectto listen }; allow nmbd_t self:unix_stream_socket { accept connectto listen };
manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) mmap_manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
allow nmbd_t samba_runtime_t:file map;
manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file }) files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })
@ -543,8 +539,7 @@ append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
create_files_pattern(nmbd_t, samba_log_t, samba_log_t) create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t) setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) mmap_manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
allow nmbd_t samba_var_t:file map;
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd") files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")

3
policy/modules/services/squid.te
View File

@ -91,8 +91,7 @@ manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) mmap_manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
allow squid_t squid_tmpfs_t:file map;
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t) manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)