diff options
author | Miroslav Grepl <mgrepl@redhat.com> | 2010-08-30 18:22:52 +0200 |
---|---|---|
committer | Miroslav Grepl <mgrepl@redhat.com> | 2010-08-30 18:22:52 +0200 |
commit | 46bbafd82762f96e484a4176be4838392d8c2682 (patch) | |
tree | d4a586b50a210b8733e2dfeb3559f9307a9b19c7 | |
parent | 0eeec8d3999e4696994ecb3ff74342d072ce89c3 (diff) | |
download | test_policy_modules-46bbafd82762f96e484a4176be4838392d8c2682.tar.gz test_policy_modules-46bbafd82762f96e484a4176be4838392d8c2682.tar.xz test_policy_modules-46bbafd82762f96e484a4176be4838392d8c2682.zip |
- Fixes for jabberd_router policy (router can use kerberos)
- Fixes for myjabberd.sh script
-rw-r--r-- | myjabberd.fc | 2 | ||||
-rwxr-xr-x | myjabberd.sh | 3 | ||||
-rw-r--r-- | myjabberd.te | 61 |
3 files changed, 60 insertions, 6 deletions
diff --git a/myjabberd.fc b/myjabberd.fc index db5ad27..b718a09 100644 --- a/myjabberd.fc +++ b/myjabberd.fc @@ -3,4 +3,4 @@ /usr/bin/c2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) /usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) - +/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) diff --git a/myjabberd.sh b/myjabberd.sh index f8d8a76..835de8d 100755 --- a/myjabberd.sh +++ b/myjabberd.sh @@ -12,5 +12,6 @@ echo "Building and Loading Policy" set -x make -f /usr/share/selinux/devel/Makefile /usr/sbin/semodule -i myjabberd.pp +/usr/sbin/semanage port -a -t jabber_router_port_t -p tcp 5347 2> /dev/null -/sbin/restorecon -F -R -v /usr/bin/router /usr/bin/sm /usr/bin/c2s /usr/bin/s2s +/sbin/restorecon -F -R -v /usr/bin/router /usr/bin/sm /usr/bin/c2s /usr/bin/s2s /var/lib/jabberd diff --git a/myjabberd.te b/myjabberd.te index 15dbe67..2d6fd5a 100644 --- a/myjabberd.te +++ b/myjabberd.te @@ -6,15 +6,68 @@ policy_module(myjabberd, 1.0) # Declarations # -type jabberd_router_t; -type jabberd_router_exec_t; -init_daemon_domain(jabberd_router_t, jabberd_router_exec_t) +attribute jabberd_domain; require{ + attribute port_type; + type jabberd_t; type jabberd_exec_t; + type jabberd_var_lib_t; } +type jabberd_router_t, jabberd_domain; +type jabberd_router_exec_t; +init_daemon_domain(jabberd_router_t, jabberd_router_exec_t) + +type jabber_router_port_t, port_type; + ######################################## # -# Local policy +# Local policy router # + +#allow jabberd_router_t self:process setfscreate; + +allow jabberd_router_t self:process signal_perms; +allow jabberd_router_t self:fifo_file read_fifo_file_perms; +allow jabberd_router_t self:tcp_socket create_stream_socket_perms; +allow jabberd_router_t self:udp_socket create_socket_perms; +allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms; + +manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) +manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) + +kernel_read_system_state(jabberd_t) + +files_read_etc_files(jabberd_router_t) +files_read_etc_runtime_files(jabberd_router_t) + +corenet_all_recvfrom_unlabeled(jabberd_router_t) +corenet_all_recvfrom_netlabel(jabberd_router_t) +corenet_tcp_sendrecv_generic_if(jabberd_router_t) +corenet_udp_sendrecv_generic_if(jabberd_router_t) +corenet_tcp_sendrecv_generic_node(jabberd_router_t) +corenet_udp_sendrecv_generic_node(jabberd_router_t) +corenet_tcp_sendrecv_all_ports(jabberd_router_t) +corenet_udp_sendrecv_all_ports(jabberd_router_t) +corenet_tcp_bind_generic_node(jabberd_router_t) +corenet_tcp_bind_jabber_client_port(jabberd_router_t) +corenet_tcp_bind_jabber_interserver_port(jabberd_router_t) +corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) +corenet_sendrecv_jabber_interserver_server_packets(jabberd_router_t) + +allow jabberd_router_t jabber_router_port_t:tcp_socket name_bind; +allow jabberd_t jabber_router_port_t:tcp_socket name_connect; + +dev_read_urand(jabberd_router_t) +dev_read_urand(jabberd_t) + +logging_send_syslog_msg(jabberd_router_t) + +miscfiles_read_localization(jabberd_router_t) + +sysnet_read_config(jabberd_router_t) + +optional_policy(` + kerberos_use(jabberd_router_t) +') |