diff options
| author | Chris PeBenito <cpebenito@tresys.com> | 2009-09-14 09:22:24 -0400 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2009-09-14 09:22:24 -0400 |
| commit | e3a90e358afbc7dd9cf9687622396395848ef734 (patch) | |
| tree | b1b041323af77e8a3e2cadf5ab5b14ab425472c9 | |
| parent | 6af53d08ed490b3f687af233f17c7df6a0a6aa26 (diff) | |
add abrt from dan.
| -rw-r--r-- | Changelog | 1 | ||||
| -rw-r--r-- | policy/modules/services/abrt.fc | 11 | ||||
| -rw-r--r-- | policy/modules/services/abrt.if | 125 | ||||
| -rw-r--r-- | policy/modules/services/abrt.te | 117 |
4 files changed, 254 insertions, 0 deletions
@@ -9,6 +9,7 @@ - Handle unix_chkpwd usage by useradd and groupadd. - Add missing compatibility aliases for xdm_xserver*_t types. - Added modules: + abrt (Dan Walsh) gitosis (Miroslav Grepl) hddtemp (Dan Walsh) kdump (Dan Walsh) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc new file mode 100644 index 00000000..d2b692d0 --- /dev/null +++ b/policy/modules/services/abrt.fc @@ -0,0 +1,11 @@ +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) +/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) + +/usr/sbin/abrt -- gen_context(system_u:object_r:abrt_exec_t,s0) + +/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) + +/var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0) + +/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if new file mode 100644 index 00000000..e9ed246e --- /dev/null +++ b/policy/modules/services/abrt.if @@ -0,0 +1,125 @@ +## <summary>ABRT - automated bug-reporting tool</summary> + +###################################### +## <summary> +## Execute abrt in the abrt domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`abrt_domtrans',` + gen_require(` + type abrt_t, abrt_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, abrt_exec_t, abrt_t) +') + +###################################### +## <summary> +## Execute abrt +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`abrt_exec',` + gen_require(` + type abrt_exec_t; + ') + + can_exec($1, abrt_exec_t) +') + +#################################### +## <summary> +## Read abrt configuration file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_read_config',` + gen_require(` + type abrt_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, abrt_etc_t, abrt_etc_t) +') + +###################################### +## <summary> +## Read abrt logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`abrt_read_log',` + gen_require(` + type abrt_var_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) +') + +##################################### +## <summary> +## All of the rules required to administrate +## an abrt environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the abrt domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`abrt_admin',` + gen_require(` + type abrt_t, abrt_etc_t; + type abrt_var_cache_t, abrt_var_log_t; + type abrt_var_run_t, abrt_tmp_t; + type abrt_initrc_exec_t; + ') + + allow $1 abrt_t:process { ptrace signal_perms }; + ps_process_pattern($1, abrt_t) + + init_labeled_script_domtrans($1, abrt_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 abrt_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, abrt_etc_t) + + logging_search_logs($1) + admin_pattern($1, abrt_var_log_t) + + files_search_var($1) + admin_pattern($1, abrt_var_cache_t) + + files_search_pids($1) + admin_pattern($1, abrt_var_run_t) + + files_search_tmp($1) + admin_pattern($1, abrt_tmp_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te new file mode 100644 index 00000000..559ce2d2 --- /dev/null +++ b/policy/modules/services/abrt.te @@ -0,0 +1,117 @@ + +policy_module(abrt, 1.0.0) + +######################################## +# +# Declarations +# + +type abrt_t; +type abrt_exec_t; +init_daemon_domain(abrt_t, abrt_exec_t) + +type abrt_initrc_exec_t; +init_script_file(abrt_initrc_exec_t) + +# etc files +type abrt_etc_t; +files_config_file(abrt_etc_t) + +# log files +type abrt_var_log_t; +logging_log_file(abrt_var_log_t) + +# tmp files +type abrt_tmp_t; +files_tmp_file(abrt_tmp_t) + +# var/cache files +type abrt_var_cache_t; +files_type(abrt_var_cache_t) + +# pid files +type abrt_var_run_t; +files_pid_file(abrt_var_run_t) + +######################################## +# +# abrt local policy +# + +allow abrt_t self:capability { setuid setgid sys_nice dac_override }; +allow abrt_t self:process { signal signull setsched getsched }; + +allow abrt_t self:fifo_file rw_fifo_file_perms; +allow abrt_t self:tcp_socket create_stream_socket_perms; +allow abrt_t self:udp_socket create_socket_perms; +allow abrt_t self:unix_dgram_socket create_socket_perms; +allow abrt_t self:netlink_route_socket r_netlink_socket_perms; + +# abrt etc files +rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) + +# log file +manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) +logging_log_filetrans(abrt_t, abrt_var_log_t, file) + +# abrt tmp files +manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) + +# abrt var/cache files +manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) +manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) +files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) + +# abrt pid files +manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) + +kernel_read_ring_buffer(abrt_t) +kernel_read_system_state(abrt_t) +kernel_rw_kernel_sysctl(abrt_t) + +corecmd_exec_bin(abrt_t) +corecmd_exec_shell(abrt_t) + +corenet_tcp_connect_http_port(abrt_t) + +dev_read_urand(abrt_t) + +files_getattr_all_files(abrt_t) +files_read_etc_files(abrt_t) +files_read_usr_files(abrt_t) + +fs_list_inotifyfs(abrt_t) +fs_getattr_all_fs(abrt_t) +fs_getattr_all_dirs(abrt_t) + +sysnet_read_config(abrt_t) + +logging_read_generic_logs(abrt_t) +logging_send_syslog_msg(abrt_t) + +miscfiles_read_certs(abrt_t) +miscfiles_read_localization(abrt_t) + +# to run bugzilla plugin +# read ~/.abrt/Bugzilla.conf +userdom_read_user_home_content_files(abrt_t) + +optional_policy(` + dbus_connect_system_bus(abrt_t) + dbus_system_bus_client(abrt_t) +') + +# to install debuginfo packages +optional_policy(` + rpm_manage_db(abrt_t) + rpm_domtrans(abrt_t) +') + +# to run mailx plugin +optional_policy(` + sendmail_domtrans(abrt_t) +') |