diff options
author | Nathan Straz <nstraz@redhat.com> | 2009-10-22 17:54:49 -0400 |
---|---|---|
committer | Nathan Straz <nstraz@redhat.com> | 2009-10-22 17:54:49 -0400 |
commit | 6ec522d33eed9bf993c9a5a5f80a21f5db5ce113 (patch) | |
tree | 437f91ff8acc26b54950572c7e86c5235da3cff8 | |
parent | 0d65048dd98bc1b408fe9a2f3e6157c28a1c4c7d (diff) | |
download | qarsh-6ec522d33eed9bf993c9a5a5f80a21f5db5ce113.tar.gz qarsh-6ec522d33eed9bf993c9a5a5f80a21f5db5ce113.tar.xz qarsh-6ec522d33eed9bf993c9a5a5f80a21f5db5ce113.zip |
Add SELinux policy for qarshd
We generate the policy based on which services we want to test.
-rw-r--r-- | SELinux/Makefile | 32 | ||||
-rw-r--r-- | SELinux/qarshd.fc | 2 | ||||
-rw-r--r-- | SELinux/qarshd.if | 0 | ||||
-rw-r--r-- | SELinux/qarshd.te.in | 36 | ||||
-rw-r--r-- | SELinux/qarshd.te.m4 | 2 | ||||
-rw-r--r-- | qarsh.spec | 45 |
6 files changed, 116 insertions, 1 deletions
diff --git a/SELinux/Makefile b/SELinux/Makefile new file mode 100644 index 0000000..57aec51 --- /dev/null +++ b/SELinux/Makefile @@ -0,0 +1,32 @@ + +# Since qarshd.te is generated, set an explicit dep on qarshd.pp +all: qarshd.pp + +vpath qarshd.% /usr/share/selinux/packages/qarsh +selinux_devel := /usr/share/selinux/devel + +interfaces := services/aisexec.if \ + services/ccs.if \ + services/rgmanager.if \ + services/rhcs.if \ + system/lvm.if \ + system/logging.if + + +interfaces_full := $(addprefix $(selinux_devel)/include/, $(interfaces)) +# Wouldn't it be nice to do them all? +#interfaces_full := $(wildcard $(selinux_devel)/include/services/*.if) + +include $(selinux_devel)/Makefile + +qarshd.te: qarshd.te.in qarshd.te.trans + cat $^ > $@ + +qarshd.te.trans: qarshd.te.m4 $(interfaces_full) + $(M4) $^ | grep qarshd_t > $@ + +# Add a cleanup step for our generated files +clean: clean-qarsh + +clean-qarsh: + $(RM) qarshd.te qarshd.te.trans diff --git a/SELinux/qarshd.fc b/SELinux/qarshd.fc new file mode 100644 index 0000000..8f82386 --- /dev/null +++ b/SELinux/qarshd.fc @@ -0,0 +1,2 @@ +/usr/sbin/qarshd -- gen_context(system_u:object_r:qarshd_exec_t,s0) +/usr/sbin/btimed -- gen_context(system_u:object_r:qarshd_exec_t,s0) diff --git a/SELinux/qarshd.if b/SELinux/qarshd.if new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/SELinux/qarshd.if diff --git a/SELinux/qarshd.te.in b/SELinux/qarshd.te.in new file mode 100644 index 0000000..7936140 --- /dev/null +++ b/SELinux/qarshd.te.in @@ -0,0 +1,36 @@ + +policy_module(qarshd, 1.0.0.22); + +require { + type unconfined_t; +} + +type qarshd_t; +type qarshd_exec_t; + +# --------------- QARSHD part ------------------ + +# we define new domain, assign common attributes +domain_type(qarshd_t); + +# we don't want qarshd domain to be confined in any +# way as qarshd must be able to do all as root +unconfined_domain(qarshd_t); + +# define qarshd as (x)inetd service with it's own domain +inetd_tcp_service_domain(qarshd_t,qarshd_exec_t); + +# whenever we run anything with qarshd_exec_t type +# we want to end up in qarshd_t domain. This will be +# useful when starting daemons manually from shell +domain_auto_trans(unconfined_t, qarshd_exec_t, qarshd_t); + +# allow any transition from qarshd_t +allow qarshd_t domain:process { transition }; + +# allow any domain to write to qarshd_t sockets +allow domain qarshd_t:tcp_socket { write read }; + +# allow any domain to signal to qarshd_t process +allow domain qarshd_t:process { sigchld }; + diff --git a/SELinux/qarshd.te.m4 b/SELinux/qarshd.te.m4 new file mode 100644 index 0000000..27291b1 --- /dev/null +++ b/SELinux/qarshd.te.m4 @@ -0,0 +1,2 @@ +define(interface, `ifelse(regexp($1, `domtrans$'), `-1', , `$1(qarshd_t)')') + @@ -1,7 +1,7 @@ Summary: QA Remote Shell Name: qarsh Version: 1.24 -Release: 2%{?dist} +Release: 3%{?dist} Group: QA License: GPL Buildroot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -31,17 +31,41 @@ allows anyone to connect to the host as any user and do any thing. WARNING: THIS PACKAGE PROVIDES REMOTE ROOT ACCESS WITHOUT AUTHENTICATION + + +%global selinux_variants targeted +%global selinux_policyver %(%{__sed} -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp || echo 0.0.0) + +%package selinux +Summary: SELinux policy module supporting qarsh +Group: QA +BuildRequires: checkpolicy, selinux-policy-devel, /usr/share/selinux/devel/policyhelp, hardlink +%if "%{selinux_policyver}" != "" +Requires: selinux-policy >= %{selinux_policyver} +%endif +Requires: %{name} = %{version}-%{release} +Requires(post): /usr/sbin/semodule, /sbin/fixfiles, qarsh-server +Requires(postun): /usr/sbin/semodule + + +%description selinux +SELinux policy maker for qarsh + %prep %setup -q %build make %{?_smp_mflags} +make -C SELinux %install rm -rf $RPM_BUILD_ROOT make install INSTROOT=$RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT%{_datadir}/selinux/packages/qarsh +cp -p SELinux/qarshd.pp $RPM_BUILD_ROOT%{_datadir}/selinux/packages/qarsh + %clean rm -rf $RPM_BUILD_ROOT @@ -53,6 +77,15 @@ if [ $1 = 0 ]; then /sbin/service xinetd reload > /dev/null 2>&1 || : fi +%post selinux +/usr/sbin/semodule -i %{_datadir}/selinux/packages/qarsh/qarshd.pp || : +/sbin/fixfiles -R qarsh-server restore || : + +%postun selinux +if [ $1 = 0 ]; then + /usr/sbin/semodule -r qarshd || : +fi + %files %defattr(-,root,root) /usr/bin/qarsh @@ -68,7 +101,17 @@ fi %config /etc/xinetd.d/btimed %doc %{_mandir}/man8/* +%files selinux +%defattr(-,root,root) +%doc SELinux/* +%{_datadir}/selinux/packages/qarsh + + %changelog +* Thu Oct 22 2009 Nate Straz <nstraz@redhat.com> ++ qarsh-1.24-3 +- Add SELinux policy build + * Fri Apr 17 2009 Nate Straz <nstraz@redhat.com> + qarsh-1.24-2 - Fix up spec file for tarballs with prefixes |