Oreon-Lime-R2/selinux-policy/selinux-policy-d9f4a2b/selinux-policy-d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455/policy/modules/contrib/cvs.te

139 lines
3.3 KiB
Text
Raw Permalink Normal View History

policy_module(cvs, 1.10.2)
########################################
#
# Declarations
#
## <desc>
## <p>
## Determine whether cvs can read shadow
## password files.
## </p>
## </desc>
gen_tunable(cvs_read_shadow, false)
type cvs_t;
type cvs_exec_t;
inetd_tcp_service_domain(cvs_t, cvs_exec_t)
init_daemon_domain(cvs_t, cvs_exec_t)
application_executable_file(cvs_exec_t)
type cvs_data_t; # customizable
files_type(cvs_data_t)
type cvs_initrc_exec_t;
init_script_file(cvs_initrc_exec_t)
type cvs_keytab_t;
files_type(cvs_keytab_t)
type cvs_tmp_t;
files_tmp_file(cvs_tmp_t)
type cvs_var_run_t;
files_pid_file(cvs_var_run_t)
type cvs_home_t;
userdom_user_home_content(cvs_home_t)
########################################
#
# Local policy
#
allow cvs_t self:capability { dac_read_search setuid setgid };
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cvs_t self:tcp_socket { accept listen };
userdom_search_user_home_dirs(cvs_t)
allow cvs_t cvs_home_t:file read_file_perms;
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
allow cvs_t cvs_keytab_t:file read_file_perms;
manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file })
manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t)
files_pid_filetrans(cvs_t, cvs_var_run_t, file)
kernel_read_kernel_sysctls(cvs_t)
kernel_read_system_state(cvs_t)
kernel_read_network_state(cvs_t)
corenet_all_recvfrom_unlabeled(cvs_t)
corenet_all_recvfrom_netlabel(cvs_t)
corenet_tcp_sendrecv_generic_if(cvs_t)
corenet_tcp_sendrecv_generic_node(cvs_t)
corenet_sendrecv_cvs_server_packets(cvs_t)
corenet_tcp_bind_cvs_port(cvs_t)
corenet_tcp_sendrecv_cvs_port(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
corenet_all_recvfrom_netlabel(cvs_t)
corenet_tcp_sendrecv_generic_if(cvs_t)
corenet_udp_sendrecv_generic_if(cvs_t)
corenet_tcp_sendrecv_generic_node(cvs_t)
corenet_udp_sendrecv_generic_node(cvs_t)
corenet_tcp_sendrecv_all_ports(cvs_t)
corenet_udp_sendrecv_all_ports(cvs_t)
corenet_tcp_bind_cvs_port(cvs_t)
dev_read_urand(cvs_t)
files_read_etc_runtime_files(cvs_t)
files_search_home(cvs_t)
fs_getattr_xattr_fs(cvs_t)
auth_domtrans_chk_passwd(cvs_t)
auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
init_dontaudit_read_utmp(cvs_t)
logging_send_syslog_msg(cvs_t)
logging_send_audit_msgs(cvs_t)
mta_send_mail(cvs_t)
# cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t)
tunable_policy(`cvs_read_shadow',`
allow cvs_t self:capability { dac_read_search };
auth_tunable_read_shadow(cvs_t)
')
optional_policy(`
kerberos_read_config(cvs_t)
kerberos_read_keytab(cvs_t)
kerberos_use(cvs_t)
kerberos_dontaudit_write_config(cvs_t)
')
########################################
#
# CVSWeb local policy
#
optional_policy(`
apache_content_template(cvs)
apache_content_alias_template(cvs, cvs)
read_files_pattern(cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir })
')