* [gentoo-commits] gentoo-x86 commit in sec-policy/selinux-gorg/files: add-gorg.patch
@ 2011-02-05 20:41 Anthony G. Basile (blueness)
0 siblings, 0 replies; only message in thread
From: Anthony G. Basile (blueness) @ 2011-02-05 20:41 UTC (permalink / raw
To: gentoo-commits
blueness 11/02/05 20:41:05
Added: add-gorg.patch
Log:
Bulk addition of new selinux policies.
(Portage version: 2.1.9.25/cvs/Linux x86_64)
Revision Changes Path
1.1 sec-policy/selinux-gorg/files/add-gorg.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-gorg/files/add-gorg.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-gorg/files/add-gorg.patch?rev=1.1&content-type=text/plain
Index: add-gorg.patch
===================================================================
--- services/gorg.te 1970-01-01 01:00:00.000000000 +0100
+++ ../../../refpolicy/policy/modules/services/gorg.te 2011-01-07 22:35:18.986000107 +0100
@@ -0,0 +1,59 @@
+policy_module(gorg, 1.0.0)
+
+type gorg_t;
+type gorg_exec_t;
+typealias gorg_t alias { staff_gorg_t user_gorg_t };
+application_domain(gorg_t, gorg_exec_t)
+role staff_r types gorg_t;
+role user_r types gorg_t;
+
+type gorg_cache_t;
+files_type(gorg_cache_t);
+
+type gorg_config_t;
+files_type(gorg_config_t);
+
+# Allow gorg_t to put files in the gorg_cache_t location(s)
+manage_dirs_pattern(gorg_t, gorg_cache_t, gorg_cache_t)
+manage_files_pattern(gorg_t, gorg_cache_t, gorg_cache_t)
+
+# Allow gorg_t to read configuration file(s)
+allow gorg_t gorg_config_t:dir list_dir_perms;
+read_files_pattern(gorg_t, gorg_config_t, gorg_config_t)
+
+# gorg logs through /dev/log
+logging_send_syslog_msg(gorg_t)
+
+# Allow gorg to bind to port 8080 (http_cache_port_t)
+sysnet_read_config(gorg_t)
+sysnet_dns_name_resolve(gorg_t)
+corenet_all_recvfrom_unlabeled(gorg_t)
+corenet_all_recvfrom_netlabel(gorg_t)
+corenet_tcp_sendrecv_generic_if(gorg_t)
+corenet_tcp_sendrecv_generic_node(gorg_t)
+#corenet_tcp_sendrecv_all_ports(gorg_t)
+corenet_tcp_bind_generic_node(gorg_t)
+corenet_tcp_bind_http_cache_port(gorg_t)
+allow gorg_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow gorg_t self:tcp_socket { listen accept };
+
+# Allow gorg read access to user home files (usually where cvs/git pull is stored)
+files_search_home(gorg_t)
+userdom_search_user_home_dirs(gorg_t)
+userdom_user_home_content(gorg_t)
+userdom_list_user_home_content(gorg_t)
+userdom_read_user_home_content_symlinks(gorg_t)
+userdom_read_user_home_content_files(gorg_t)
+
+# Local policy
+allow gorg_t self:fifo_file rw_fifo_file_perms;
+
+# Read /etc files (xml/catalog, hosts.conf, ...)
+files_read_etc_files(gorg_t)
+
+# Gorg is ruby, so be able to execute ruby
+corecmd_exec_bin(gorg_t)
+
+# Output to screen
+userdom_use_user_terminals(gorg_t)
+domain_use_interactive_fds(gorg_t)
--- services/gorg.fc 1970-01-01 01:00:00.000000000 +0100
+++ ../../../refpolicy/policy/modules/services/gorg.fc 2011-01-07 22:35:22.840999786 +0100
@@ -0,0 +1,3 @@
+/etc/gorg(/.*)? gen_context(system_u:object_r:gorg_config_t,s0)
+/var/cache/gorg(/.*)? gen_context(system_u:object_r:gorg_cache_t,s0)
+/usr/bin/gorg -- gen_context(system_u:object_r:gorg_exec_t,s0)
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2011-02-05 20:42 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-05 20:41 [gentoo-commits] gentoo-x86 commit in sec-policy/selinux-gorg/files: add-gorg.patch Anthony G. Basile (blueness)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox