Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 314977 Details for
Bug 460129
fix policy for various packages
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
various policy
rawhide.patch.txt (text/plain), 9.88 KB, created by
Dominick Grift
on 2008-08-26 11:14:43 UTC
(
hide
)
Description:
various policy
Filename:
MIME Type:
Creator:
Dominick Grift
Created:
2008-08-26 11:14:43 UTC
Size:
9.88 KB
patch
obsolete
>diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc >index e6d61a4..a9e66c5 100644 >--- a/policy/modules/services/amavis.fc >+++ b/policy/modules/services/amavis.fc >@@ -1,6 +1,6 @@ > > /etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0) >-/etc/amavisd(/.*)? -- gen_context(system_u:object_r:amavis_etc_t,s0) >+/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0) > > /usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) > /usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) >@@ -16,4 +16,4 @@ ifdef(`distro_debian',` > /var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0) > /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0) > >-/etc/rc.d/init.d/amavis -- gen_context(system_u:object_r:amavis_script_exec_t,s0) >+/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_script_exec_t,s0) >diff --git a/policy/modules/services/pads.fc b/policy/modules/services/pads.fc >new file mode 100644 >index 0000000..e6f940d >--- /dev/null >+++ b/policy/modules/services/pads.fc >@@ -0,0 +1,12 @@ >+ >+/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) >+/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0) >+/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0) >+/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0) >+ >+/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_script_exec_t, s0) >+ >+/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) >+ >+/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) >+ >diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if >new file mode 100644 >index 0000000..914ab7c >--- /dev/null >+++ b/policy/modules/services/pads.if >@@ -0,0 +1,10 @@ >+## <summary>SELinux policy for PADS daemon.</summary> >+## <desc> >+## <p> >+## PADS is a libpcap based detection engine used to >+## passively detect network assets. It is designed to >+## complement IDS technology by providing context to IDS >+## alerts. >+## </p> >+## </desc> >+ >diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te >new file mode 100644 >index 0000000..3dcd996 >--- /dev/null >+++ b/policy/modules/services/pads.te >@@ -0,0 +1,66 @@ >+ >+policy_module(pads, 0.0.1) >+ >+######################################## >+# >+# Declarations >+# >+ >+type pads_t; >+type pads_exec_t; >+init_daemon_domain(pads_t, pads_exec_t) >+role system_r types pads_t; >+ >+type pads_script_exec_t; >+init_script_type(pads_script_exec_t) >+ >+type pads_config_t; >+files_config_file(pads_config_t) >+ >+type pads_var_run_t; >+files_pid_file(pads_var_run_t) >+ >+######################################## >+# >+# Declarations >+# >+ >+allow pads_t self:capability net_raw; >+allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; >+allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; >+allow pads_t self:udp_socket { create ioctl }; >+allow pads_t self:unix_dgram_socket { write create connect }; >+ >+allow pads_t pads_config_t:file manage_file_perms; >+files_etc_filetrans(pads_t, pads_config_t, file) >+ >+allow pads_t pads_var_run_t:file manage_file_perms; >+files_pid_filetrans(pads_t, pads_var_run_t, file) >+ >+corecmd_search_sbin(pads_t) >+ >+corenet_all_recvfrom_unlabeled(pads_t) >+corenet_all_recvfrom_netlabel(pads_t) >+corenet_tcp_sendrecv_all_if(pads_t) >+corenet_tcp_sendrecv_all_nodes(pads_t) >+ >+corenet_tcp_connect_prelude_port(pads_t) >+ >+dev_read_rand(pads_t) >+dev_read_urand(pads_t) >+ >+files_read_etc_files(pads_t) >+files_search_spool(pads_t) >+ >+libs_use_ld_so(pads_t) >+libs_use_shared_libs(pads_t) >+ >+miscfiles_read_localization(pads_t) >+ >+logging_send_syslog_msg(pads_t) >+ >+sysnet_dns_name_resolve(pads_t) >+ >+optional_policy(` >+ prelude_rw_spool(pads_t) >+') >diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te >index b40d67b..2ec9733 100644 >--- a/policy/modules/services/postgresql.te >+++ b/policy/modules/services/postgresql.te >@@ -162,7 +162,7 @@ fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file > > manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) > manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) >-files_pid_filetrans(postgresql_t, postgresql_var_run_t, file) >+files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file sock_file }) > > kernel_read_kernel_sysctls(postgresql_t) > kernel_read_system_state(postgresql_t) >diff --git a/policy/modules/services/prelude.fc b/policy/modules/services/prelude.fc >index 2806c1d..33b9e4f 100644 >--- a/policy/modules/services/prelude.fc >+++ b/policy/modules/services/prelude.fc >@@ -13,6 +13,10 @@ > /usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) > /var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) > >+/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_script_exec_t, s0) > /etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0) > /etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0) > >+/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) >+/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) >+ >diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te >index cc3d233..ad6e8c6 100644 >--- a/policy/modules/services/prelude.te >+++ b/policy/modules/services/prelude.te >@@ -47,6 +47,22 @@ files_tmp_file(prelude_lml_tmp_t) > > ######################################## > # >+# prelude_correlator declarations >+# >+ >+type prelude_correlator_t; >+type prelude_correlator_exec_t; >+init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t) >+role system_r types prelude_correlator_t; >+ >+type prelude_correlator_script_exec_t; >+init_script_type(prelude_correlator_script_exec_t) >+ >+type prelude_correlator_config_t; >+files_config_file(prelude_correlator_config_t) >+ >+######################################## >+# > # prelude local policy > # > >@@ -77,6 +93,7 @@ corenet_tcp_sendrecv_all_nodes(prelude_t) > corenet_tcp_bind_all_nodes(prelude_t) > corenet_tcp_bind_prelude_port(prelude_t) > corenet_tcp_connect_prelude_port(prelude_t) >+corenet_tcp_connect_postgresql_port(prelude_t) > > dev_read_rand(prelude_t) > dev_read_urand(prelude_t) >@@ -87,6 +104,8 @@ domain_use_interactive_fds(prelude_t) > files_read_etc_files(prelude_t) > files_read_usr_files(prelude_t) > >+files_search_tmp(prelude_t) >+ > fs_rw_anon_inodefs_files(prelude_t) > > auth_use_nsswitch(prelude_t) >@@ -159,7 +178,6 @@ sysnet_dns_name_resolve(prelude_audisp_t) > # > > # Init script handling >-# Test me > domain_use_interactive_fds(prelude_lml_t) > > allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect }; >@@ -217,6 +235,9 @@ logging_read_generic_logs(prelude_lml_t) > > miscfiles_read_localization(prelude_lml_t) > >+# if prelude_lml wants to relay to a remote prelude-manager using dns >+sysnet_dns_name_resolve(prelude_lml_t) >+ > optional_policy(` > gamin_exec(prelude_lml_t) > ') >@@ -227,11 +248,55 @@ optional_policy(` > > ######################################## > # >+# prelude_correlator local policy >+# >+ >+allow prelude_correlator_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; >+allow prelude_correlator_t self:tcp_socket { write ioctl setopt read create getattr connect }; >+allow prelude_correlator_t self:unix_dgram_socket { write create connect }; >+ >+allow prelude_correlator_t prelude_correlator_config_t:dir { read search getattr }; >+allow prelude_correlator_t prelude_correlator_config_t:file { read getattr }; >+ >+corecmd_search_sbin(prelude_correlator_t) >+ >+corenet_all_recvfrom_unlabeled(prelude_correlator_t) >+corenet_all_recvfrom_netlabel(prelude_correlator_t) >+corenet_tcp_sendrecv_all_if(prelude_correlator_t) >+corenet_tcp_sendrecv_all_nodes(prelude_correlator_t) >+ >+corenet_tcp_connect_prelude_port(prelude_correlator_t) >+ >+dev_read_rand(prelude_correlator_t) >+dev_read_urand(prelude_correlator_t) >+ >+files_read_etc_files(prelude_correlator_t) >+files_read_usr_files(prelude_correlator_t) >+files_search_spool(prelude_correlator_t) >+ >+libs_use_ld_so(prelude_correlator_t) >+libs_use_shared_libs(prelude_correlator_t) >+ >+miscfiles_read_localization(prelude_correlator_t) >+ >+logging_send_syslog_msg(prelude_correlator_t) >+ >+prelude_rw_spool(prelude_correlator_t) >+ >+sysnet_dns_name_resolve(prelude_correlator_t) >+ >+######################################## >+# > # prewikka_cgi Declarations > # > > optional_policy(` > apache_content_template(prewikka) >+ apache_search_sys_content(httpd_prewikka_script_t) >+ >+ corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t) >+ >+ files_search_tmp(httpd_prewikka_script_t) > files_read_etc_files(httpd_prewikka_script_t) > > auth_use_nsswitch(httpd_prewikka_script_t) >diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te >index 1f4b36d..49b53f1 100644 >--- a/policy/modules/services/snort.te >+++ b/policy/modules/services/snort.te >@@ -33,6 +33,8 @@ files_pid_file(snort_var_run_t) > allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; > dontaudit snort_t self:capability sys_tty_config; > allow snort_t self:process signal_perms; >+# Snort IPS node. unverified. netlink_firewall_socket >+allow snort_t self:netlink_firewall_socket { bind create getattr }; > allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; > allow snort_t self:tcp_socket create_stream_socket_perms; > allow snort_t self:udp_socket create_socket_perms; >@@ -97,6 +99,9 @@ userdom_dontaudit_use_unpriv_user_fds(snort_t) > > sysadm_dontaudit_search_home_dirs(snort_t) > >+# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager >+sysnet_dns_name_resolve(snort_t) >+ > optional_policy(` > prelude_rw_spool(snort_t) > ')
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=314977">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 460129
: 314977