← Back to branch summary

~ubuntu-branches/ubuntu/natty/refpolicy-ubuntu/natty

« back to all changes in this revision

Viewing changes to policy/modules/services/prelude.te

  • Committer: Bazaar Package Importer
  • Author(s): Caleb Case
  • Date: 2009-10-19 01:48:39 UTC
  • mfrom: (1.1.1 upstream)
  • Revision ID: james.westby@ubuntu.com-20091019014839-0rpi67ygkrjya30k
Tags: 0.2.20090730-0ubuntu1
https://launchpad.net/bugs/434084
* Updated to upstream release 2.20090730
* Handle Upstart direct execution of daemons.
* Pre-depend on selinux to ensure that the trigger is handled (LP: #434084).

Show diffs side-by-side

added added

removed removed

Lines of Context:
policy/modules/services/prelude.te
1
1
 
2
 
policy_module(prelude, 1.0.2)
 
2
policy_module(prelude, 1.0.3)
3
3
 
4
4
########################################
5
5
#
10
10
type prelude_exec_t;
11
11
init_daemon_domain(prelude_t, prelude_exec_t)
12
12
 
 
13
type prelude_initrc_exec_t;
 
14
init_script_file(prelude_initrc_exec_t)
 
15
 
13
16
type prelude_spool_t;
14
17
files_type(prelude_spool_t)
15
18
 
 
19
type prelude_log_t;
 
20
logging_log_file(prelude_log_t)
 
21
 
16
22
type prelude_var_run_t;
17
23
files_pid_file(prelude_var_run_t)
18
24
 
22
28
type prelude_audisp_t;
23
29
type prelude_audisp_exec_t;
24
30
init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t)
 
31
logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t)
25
32
 
26
33
type prelude_audisp_var_run_t;
27
34
files_pid_file(prelude_audisp_var_run_t)
28
35
 
 
36
type prelude_correlator_t;
 
37
type prelude_correlator_exec_t;
 
38
init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t)
 
39
role system_r types prelude_correlator_t;
 
40
 
 
41
type prelude_correlator_config_t;
 
42
files_config_file(prelude_correlator_config_t)
 
43
 
 
44
type prelude_lml_t;
 
45
type prelude_lml_exec_t;
 
46
init_daemon_domain(prelude_lml_t, prelude_lml_exec_t)
 
47
 
 
48
type prelude_lml_tmp_t;
 
49
files_tmp_file(prelude_lml_tmp_t)
 
50
 
 
51
type prelude_lml_var_run_t;
 
52
files_pid_file(prelude_lml_var_run_t)
 
53
 
29
54
########################################
30
55
#
31
56
# prelude local policy
32
57
#
33
58
 
34
 
allow prelude_t self:capability sys_tty_config;
 
59
allow prelude_t self:capability { dac_override sys_tty_config };
35
60
allow prelude_t self:fifo_file rw_file_perms;
36
61
allow prelude_t self:unix_stream_socket create_stream_socket_perms;
37
62
allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
38
63
allow prelude_t self:tcp_socket create_stream_socket_perms;
39
64
 
 
65
manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t)
 
66
logging_log_filetrans(prelude_t, prelude_log_t, file)
 
67
 
40
68
manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
41
69
manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
42
70
files_search_spool(prelude_t)
49
77
manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
50
78
files_pid_filetrans(prelude_t, prelude_var_run_t, file)
51
79
 
 
80
kernel_read_system_state(prelude_t)
 
81
kernel_read_sysctl(prelude_t)
 
82
 
52
83
corecmd_search_bin(prelude_t)
53
84
 
54
85
corenet_all_recvfrom_unlabeled(prelude_t)
56
87
corenet_tcp_sendrecv_generic_if(prelude_t)
57
88
corenet_tcp_sendrecv_generic_node(prelude_t)
58
89
corenet_tcp_bind_generic_node(prelude_t)
 
90
corenet_tcp_bind_prelude_port(prelude_t)
 
91
corenet_tcp_connect_prelude_port(prelude_t)
 
92
corenet_tcp_connect_postgresql_port(prelude_t)
59
93
 
60
94
dev_read_rand(prelude_t)
61
95
dev_read_urand(prelude_t)
62
96
 
63
 
# Init script handling
64
 
domain_use_interactive_fds(prelude_t)
65
 
 
66
97
files_read_etc_files(prelude_t)
 
98
files_read_etc_runtime_files(prelude_t)
67
99
files_read_usr_files(prelude_t)
 
100
files_search_tmp(prelude_t)
 
101
files_search_tmp(prelude_t)
 
102
 
 
103
fs_rw_anon_inodefs_files(prelude_t)
68
104
 
69
105
auth_use_nsswitch(prelude_t)
70
106
 
86
122
#
87
123
# prelude_audisp local policy
88
124
#
89
 
 
 
125
allow prelude_audisp_t self:capability dac_override;
90
126
allow prelude_audisp_t self:fifo_file rw_file_perms;
91
127
allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
92
128
allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
100
136
manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
101
137
files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file)
102
138
 
 
139
kernel_read_sysctl(prelude_audisp_t)
 
140
kernel_read_system_state(prelude_audisp_t)
 
141
 
103
142
corecmd_search_bin(prelude_audisp_t)
104
143
 
105
144
corenet_all_recvfrom_unlabeled(prelude_audisp_t)
107
146
corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
108
147
corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
109
148
corenet_tcp_bind_generic_node(prelude_audisp_t)
 
149
corenet_tcp_connect_prelude_port(prelude_audisp_t)
110
150
 
111
151
dev_read_rand(prelude_audisp_t)
112
152
dev_read_urand(prelude_audisp_t)
115
155
domain_use_interactive_fds(prelude_audisp_t)
116
156
 
117
157
files_read_etc_files(prelude_audisp_t)
 
158
files_read_etc_runtime_files(prelude_audisp_t)
 
159
files_search_tmp(prelude_audisp_t)
118
160
 
119
161
logging_send_syslog_msg(prelude_audisp_t)
120
162
 
121
163
miscfiles_read_localization(prelude_audisp_t)
122
164
 
 
165
sysnet_dns_name_resolve(prelude_audisp_t)
 
166
 
 
167
########################################
 
168
#
 
169
# prelude_correlator local policy
 
170
#
 
171
 
 
172
allow prelude_correlator_t self:capability dac_override;
 
173
allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
 
174
allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
 
175
allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
 
176
 
 
177
allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
 
178
read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
 
179
 
 
180
kernel_read_sysctl(prelude_correlator_t)
 
181
 
 
182
corecmd_search_bin(prelude_correlator_t)
 
183
 
 
184
corenet_all_recvfrom_unlabeled(prelude_correlator_t)
 
185
corenet_all_recvfrom_netlabel(prelude_correlator_t)
 
186
corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
 
187
corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
 
188
corenet_tcp_connect_prelude_port(prelude_correlator_t)
 
189
 
 
190
dev_read_rand(prelude_correlator_t)
 
191
dev_read_urand(prelude_correlator_t)
 
192
 
 
193
files_read_etc_files(prelude_correlator_t)
 
194
files_read_usr_files(prelude_correlator_t)
 
195
files_search_spool(prelude_correlator_t)
 
196
 
 
197
logging_send_syslog_msg(prelude_correlator_t)
 
198
 
 
199
miscfiles_read_localization(prelude_correlator_t)
 
200
 
 
201
sysnet_dns_name_resolve(prelude_correlator_t)
 
202
 
 
203
prelude_manage_spool(prelude_correlator_t)
 
204
 
 
205
########################################
 
206
#
 
207
# prelude_lml local declarations
 
208
#
 
209
 
 
210
allow prelude_lml_t self:capability dac_override;
 
211
allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
 
212
allow prelude_lml_t self:unix_dgram_socket { write create connect };
 
213
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
 
214
allow prelude_lml_t self:unix_stream_socket connectto;
 
215
 
 
216
manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
 
217
manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
 
218
files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir })
 
219
files_list_tmp(prelude_lml_t)
 
220
 
 
221
manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
 
222
manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
 
223
files_search_spool(prelude_lml_t)
 
224
 
 
225
manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
 
226
manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
 
227
files_search_var_lib(prelude_lml_t)
 
228
 
 
229
manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
 
230
files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
 
231
 
 
232
kernel_read_system_state(prelude_lml_t)
 
233
kernel_read_sysctl(prelude_lml_t)
 
234
 
 
235
corecmd_exec_bin(prelude_lml_t)
 
236
 
 
237
corenet_tcp_sendrecv_generic_if(prelude_lml_t)
 
238
corenet_tcp_sendrecv_generic_node(prelude_lml_t)
 
239
corenet_tcp_recvfrom_netlabel(prelude_lml_t)
 
240
corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
 
241
corenet_sendrecv_unlabeled_packets(prelude_lml_t)
 
242
corenet_tcp_connect_prelude_port(prelude_lml_t)
 
243
 
 
244
dev_read_rand(prelude_lml_t)
 
245
dev_read_urand(prelude_lml_t)
 
246
 
 
247
files_list_etc(prelude_lml_t)
 
248
files_read_etc_files(prelude_lml_t)
 
249
files_read_etc_runtime_files(prelude_lml_t)
 
250
 
 
251
fs_rw_anon_inodefs_files(prelude_lml_t)
 
252
 
 
253
auth_use_nsswitch(prelude_lml_t)
 
254
 
 
255
libs_exec_lib_files(prelude_lml_t)
 
256
libs_read_lib_files(prelude_lml_t)
 
257
 
 
258
logging_send_syslog_msg(prelude_lml_t)
 
259
logging_read_generic_logs(prelude_lml_t)
 
260
 
 
261
miscfiles_read_localization(prelude_lml_t)
 
262
 
 
263
sysnet_dns_name_resolve(prelude_lml_t)
 
264
 
 
265
userdom_read_all_users_state(prelude_lml_t)
 
266
 
 
267
optional_policy(`
 
268
        apache_search_sys_content(prelude_lml_t)
 
269
        apache_read_log(prelude_lml_t)
 
270
')
 
271
 
123
272
########################################
124
273
#
125
274
# prewikka_cgi Declarations
127
276
 
128
277
optional_policy(`
129
278
        apache_content_template(prewikka)
 
279
 
 
280
        can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
 
281
 
130
282
        files_read_etc_files(httpd_prewikka_script_t)
 
283
        files_search_tmp(httpd_prewikka_script_t)
 
284
 
 
285
        kernel_read_sysctl(httpd_prewikka_script_t)
 
286
        kernel_search_network_sysctl(httpd_prewikka_script_t)
 
287
 
 
288
        corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
 
289
 
 
290
        auth_use_nsswitch(httpd_prewikka_script_t)
 
291
 
 
292
        logging_send_syslog_msg(httpd_prewikka_script_t)
 
293
 
 
294
        apache_search_sys_content(httpd_prewikka_script_t)
131
295
 
132
296
        optional_policy(`
133
297
                mysql_search_db(httpd_prewikka_script_t)