Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sec-policy/selinux-gorg/files/add-gorg.patch
blob: 71e8cb10d02c98885eeeeb1b5e021edbf4e911d9 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

--- services/gorg.te	1970-01-01 01:00:00.000000000 +0100
+++ ../../../refpolicy/policy/modules/services/gorg.te	2011-01-07 22:35:18.986000107 +0100
@@ -0,0 +1,59 @@
+policy_module(gorg, 1.0.0)
+
+type gorg_t;
+type gorg_exec_t;
+typealias gorg_t alias { staff_gorg_t user_gorg_t };
+application_domain(gorg_t, gorg_exec_t)
+role staff_r types gorg_t;
+role user_r types gorg_t;
+
+type gorg_cache_t;
+files_type(gorg_cache_t);
+
+type gorg_config_t;
+files_type(gorg_config_t);
+
+# Allow gorg_t to put files in the gorg_cache_t location(s)
+manage_dirs_pattern(gorg_t, gorg_cache_t, gorg_cache_t)
+manage_files_pattern(gorg_t, gorg_cache_t, gorg_cache_t)
+
+# Allow gorg_t to read configuration file(s)
+allow gorg_t gorg_config_t:dir list_dir_perms;
+read_files_pattern(gorg_t, gorg_config_t, gorg_config_t)
+
+# gorg logs through /dev/log
+logging_send_syslog_msg(gorg_t)
+
+# Allow gorg to bind to port 8080 (http_cache_port_t)
+sysnet_read_config(gorg_t)
+sysnet_dns_name_resolve(gorg_t)
+corenet_all_recvfrom_unlabeled(gorg_t)
+corenet_all_recvfrom_netlabel(gorg_t)
+corenet_tcp_sendrecv_generic_if(gorg_t)
+corenet_tcp_sendrecv_generic_node(gorg_t)
+#corenet_tcp_sendrecv_all_ports(gorg_t)
+corenet_tcp_bind_generic_node(gorg_t)
+corenet_tcp_bind_http_cache_port(gorg_t)
+allow gorg_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow gorg_t self:tcp_socket { listen accept };
+
+# Allow gorg read access to user home files (usually where cvs/git pull is stored)
+files_search_home(gorg_t)
+userdom_search_user_home_dirs(gorg_t)
+userdom_user_home_content(gorg_t)
+userdom_list_user_home_content(gorg_t)
+userdom_read_user_home_content_symlinks(gorg_t)
+userdom_read_user_home_content_files(gorg_t)
+
+# Local policy
+allow gorg_t self:fifo_file rw_fifo_file_perms;
+
+# Read /etc files (xml/catalog, hosts.conf, ...)
+files_read_etc_files(gorg_t)
+
+# Gorg is ruby, so be able to execute ruby
+corecmd_exec_bin(gorg_t)
+
+# Output to screen
+userdom_use_user_terminals(gorg_t)
+domain_use_interactive_fds(gorg_t)
--- services/gorg.fc	1970-01-01 01:00:00.000000000 +0100
+++ ../../../refpolicy/policy/modules/services/gorg.fc	2011-01-07 22:35:22.840999786 +0100
@@ -0,0 +1,3 @@
+/etc/gorg(/.*)?				gen_context(system_u:object_r:gorg_config_t,s0)
+/var/cache/gorg(/.*)?			gen_context(system_u:object_r:gorg_cache_t,s0)
+/usr/bin/gorg			--	gen_context(system_u:object_r:gorg_exec_t,s0)