From a3ba3bc9399d8f36380b8cb68f7b0ca1084c1929 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 23 Oct 2008 16:44:05 +0200 Subject: added new selinux_booleans and policykit_roles policies --- ipaaction/ipaaction.rng | 28 +- ipaaction/ipaaction_example_policy.xml | 3 + policykit_roles/policykit_roles.rng | 153 ++++++++ policykit_roles/policykit_roles.xslt | 120 +++++++ policykit_roles/policykit_roles_example_policy.xml | 46 +++ selinux_booleans/selinux_booleans.rng | 386 +++++++++++++++++++++ .../selinux_booleans_example_policy.xml | 17 + 7 files changed, 748 insertions(+), 5 deletions(-) create mode 100644 policykit_roles/policykit_roles.rng create mode 100644 policykit_roles/policykit_roles.xslt create mode 100644 policykit_roles/policykit_roles_example_policy.xml create mode 100644 selinux_booleans/selinux_booleans.rng create mode 100644 selinux_booleans/selinux_booleans_example_policy.xml diff --git a/ipaaction/ipaaction.rng b/ipaaction/ipaaction.rng index 983786b..8500275 100644 --- a/ipaaction/ipaaction.rng +++ b/ipaaction/ipaaction.rng @@ -3,6 +3,7 @@ xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" xmlns:a="http://relaxng.org/ns/compatibility/annotations/1.0" +xmlns:s="http://purl.oclc.org/dsdl/schematron" xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> IPA Actions @@ -26,6 +27,23 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> + + + + too many files + + + too many runs + + + + + + + /.* + + + @@ -57,11 +75,11 @@ xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> - - - /.* - - + + + + + diff --git a/ipaaction/ipaaction_example_policy.xml b/ipaaction/ipaaction_example_policy.xml index 7198992..e545703 100644 --- a/ipaaction/ipaaction_example_policy.xml +++ b/ipaaction/ipaaction_example_policy.xml @@ -16,6 +16,9 @@ nobody nogroup 0444 + unconfined_u:object_r:user_home_t:s0 + user:dummy:rw- + user:admin:rw- /bin/rm /tmp/something.txt diff --git a/policykit_roles/policykit_roles.rng b/policykit_roles/policykit_roles.rng new file mode 100644 index 0000000..204e9a9 --- /dev/null +++ b/policykit_roles/policykit_roles.rng @@ -0,0 +1,153 @@ + + + + Role definitions for Policy Kit + + The following section can be used to register the RNG schema file for the UI + policykit_roles + modify Policy Kit roles + sbose@redhat.com + 0.1 + + policykit_roles.rng + policykit_roles.xslt + policykit_roles + + + + + + + + + + + + + + + + + + + org.freedesktop.consolekit.system.stop + org.freedesktop.consolekit.system.stop-multiple-users + org.freedesktop.consolekit.system.restart + org.freedesktop.consolekit.system.restart-multiple-users + org.freedesktop.hal.device-access.sound + org.freedesktop.hal.device-access.video4linux + org.freedesktop.hal.device-access.cdrom + org.freedesktop.hal.device-access.dvb + org.freedesktop.hal.device-access.camera + org.freedesktop.hal.device-access.scanner + org.freedesktop.hal.device-access.audio-player + org.freedesktop.hal.device-access.ieee1394-iidc + org.freedesktop.hal.device-access.ieee1394-avc + org.freedesktop.hal.device-access.pda + org.freedesktop.hal.dockstation.undock + org.freedesktop.hal.killswitch.bluetooth + org.freedesktop.hal.killswitch.wlan + org.freedesktop.hal.killswitch.wwan + org.freedesktop.hal.lock + org.freedesktop.hal.power-management.shutdown + org.freedesktop.hal.power-management.shutdown-multiple-sessions + org.freedesktop.hal.power-management.reboot + org.freedesktop.hal.power-management.reboot-multiple-sessions + org.freedesktop.hal.power-management.set-powersave + org.freedesktop.hal.power-management.suspend + org.freedesktop.hal.power-management.hibernate + org.freedesktop.hal.power-management.cpufreq + org.freedesktop.hal.power-management.lcd-panel + org.freedesktop.hal.power-management.light-sensor + org.freedesktop.hal.power-management.keyboard-backlight + org.freedesktop.hal.storage.mount-fixed + org.freedesktop.hal.storage.mount-removable + org.freedesktop.hal.storage.unmount-others + org.freedesktop.hal.storage.eject + org.freedesktop.hal.storage.crypto-setup-fixed + org.freedesktop.hal.storage.crypto-setup-removable + org.freedesktop.hal.wol.enabled + org.freedesktop.hal.wol.enable + org.freedesktop.hal.wol.supported + org.freedesktop.network-manager-settings.system.modify + org.freedesktop.packagekit.install + org.freedesktop.packagekit.localinstall-untrusted + org.freedesktop.packagekit.localinstall-trusted + org.freedesktop.packagekit.install-signature + org.freedesktop.packagekit.accept-eula + org.freedesktop.packagekit.update-package + org.freedesktop.packagekit.remove + org.freedesktop.packagekit.update-system + org.freedesktop.packagekit.rollback + org.freedesktop.packagekit.repo-change + org.freedesktop.packagekit.refresh-cache + org.freedesktop.packagekit.set-proxy + org.freedesktop.policykit.read + org.freedesktop.policykit.revoke + org.freedesktop.policykit.grant + org.freedesktop.policykit.modify-defaults + org.gnome.clockapplet.mechanism.settimezone + org.gnome.clockapplet.mechanism.settime + org.gnome.clockapplet.mechanism.configurehwclock + org.gnome.system-monitor.change-priority + org.gnome.system-monitor.increase-own-priority + org.gnome.system-monitor.kill + org.libvirt.unix.monitor + org.libvirt.unix.manage + org.pulseaudio.acquire-real-time + org.pulseaudio.acquire-high-priority + + + + + + + + + no + auth_self + auth_self_keep_session + auth_self_keep_always + auth_admin + auth_admin_keep_session + auth_admin_keep_always + yes + + + + + no + auth_self + auth_self_keep_session + auth_self_keep_always + auth_admin + auth_admin_keep_session + auth_admin_keep_always + yes + + + + + no + auth_self + auth_self_keep_session + auth_self_keep_always + auth_admin + auth_admin_keep_session + auth_admin_keep_always + yes + + + + + + + + + + diff --git a/policykit_roles/policykit_roles.xslt b/policykit_roles/policykit_roles.xslt new file mode 100644 index 0000000..09718ee --- /dev/null +++ b/policykit_roles/policykit_roles.xslt @@ -0,0 +1,120 @@ + + + + + + + + + + + + + + # IPA generated ldif for policykit roles. DO NOT EDIT + + + + + + + + + + + + + + + + + + # role: + + + dn: ou= + + ,ou=PolicyKitRoles,xx=some,xx=ldap,xx=path + + + + + + + + + + dn: ou= + + ,ou= + + ,ou=PolicyKitRoles,xx=some,xx=ldap,xx=path + changetype: modify + replace: allow_any allow_any: + + - changetype: modify + replace: allow_inactive allow_inactive: + + - changetype: modify + replace: allow_active allow_active: + + + + + + + + + su - nobody 'curl -o /tmp/SAFE_TEMP_FILE + + ' + + + cat << EOF | base64 -d > /tmp/SAFE_TEMP_FILE + + EOF + + + # unknown element: + + + + + + mv /tmp/SAFE_TEMP_FILE + + + + chown + + : + + + + + + + + + + + + + + nobody + + + + su - + + ' + + ' + + + diff --git a/policykit_roles/policykit_roles_example_policy.xml b/policykit_roles/policykit_roles_example_policy.xml new file mode 100644 index 0000000..1f615d3 --- /dev/null +++ b/policykit_roles/policykit_roles_example_policy.xml @@ -0,0 +1,46 @@ + + + + simple policykit_roles example + sbose@redhat.com + 0.7071 + policykit_roles.rng + policykit_roles.xslt + policykit_roles + + + + + allways_yes + + org.pulseaudio.acquire-real-time + yes + yes + yes + + + org.pulseaudio.acquire-high-priority + yes + yes + yes + + + + + allways_no + + org.pulseaudio.acquire-real-time + no + no + no + + + org.pulseaudio.acquire-high-priority + no + no + no + + + + + diff --git a/selinux_booleans/selinux_booleans.rng b/selinux_booleans/selinux_booleans.rng new file mode 100644 index 0000000..5402ce8 --- /dev/null +++ b/selinux_booleans/selinux_booleans.rng @@ -0,0 +1,386 @@ + + + + SELinux Booleans + + The following section can be used to register the RNG schema file for the UI + selinux_booleans + modify SELinux booleans + sbose@redhat.com + 0.1 + + selinux_booleans.rng + selinux_booleans.xslt + selinux_booleans + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/selinux_booleans/selinux_booleans_example_policy.xml b/selinux_booleans/selinux_booleans_example_policy.xml new file mode 100644 index 0000000..a666789 --- /dev/null +++ b/selinux_booleans/selinux_booleans_example_policy.xml @@ -0,0 +1,17 @@ + + + + simple selinux_booleans example + sbose@redhat.com + 0.7071 + selinux_booleans.rng + selinux_booleans.xslt + selinux_booleans + + + + true + false + + + -- cgit