Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/services/cvs.te
blob: 3bf9615bf9419581b48b8b5ac1446f828f081106 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

policy_module(cvs)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Determine whether cvs can read shadow
##	password files.
##	</p>
## </desc>
gen_tunable(allow_cvs_read_shadow, false)

type cvs_t;
type cvs_exec_t;
init_daemon_domain(cvs_t, cvs_exec_t)
application_executable_file(cvs_exec_t)

type cvs_data_t; # customizable
files_type(cvs_data_t)

type cvs_initrc_exec_t;
init_script_file(cvs_initrc_exec_t)

type cvs_keytab_t;
files_type(cvs_keytab_t)

type cvs_runtime_t alias cvs_var_run_t;
files_runtime_file(cvs_runtime_t)

type cvs_tmp_t;
files_tmp_file(cvs_tmp_t)

########################################
#
# Local policy
#

allow cvs_t self:capability { setgid setuid };
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cvs_t self:tcp_socket { accept listen };

manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)

allow cvs_t cvs_keytab_t:file read_file_perms;

manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file })

manage_files_pattern(cvs_t, cvs_runtime_t, cvs_runtime_t)
files_runtime_filetrans(cvs_t, cvs_runtime_t, file)

kernel_read_kernel_sysctls(cvs_t)
kernel_read_system_state(cvs_t)
kernel_read_network_state(cvs_t)

corenet_all_recvfrom_netlabel(cvs_t)
corenet_tcp_sendrecv_generic_if(cvs_t)
corenet_tcp_sendrecv_generic_node(cvs_t)

corenet_sendrecv_cvs_server_packets(cvs_t)
corenet_tcp_bind_cvs_port(cvs_t)

corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)

dev_read_urand(cvs_t)

files_read_etc_runtime_files(cvs_t)
files_search_home(cvs_t)

fs_getattr_xattr_fs(cvs_t)

auth_domtrans_chk_passwd(cvs_t)
auth_use_nsswitch(cvs_t)

init_read_utmp(cvs_t)

logging_send_syslog_msg(cvs_t)
logging_send_audit_msgs(cvs_t)

miscfiles_read_localization(cvs_t)

userdom_dontaudit_search_user_home_dirs(cvs_t)

# cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t)
tunable_policy(`allow_cvs_read_shadow',`
	allow cvs_t self:capability dac_override;
	auth_tunable_read_shadow(cvs_t)
')

optional_policy(`
	inetd_tcp_service_domain(cvs_t, cvs_exec_t)
')

optional_policy(`
	kerberos_read_config(cvs_t)
	kerberos_read_keytab(cvs_t)
	kerberos_use(cvs_t)
	kerberos_dontaudit_write_config(cvs_t)
')

optional_policy(`
	mta_send_mail(cvs_t)
')

########################################
#
# CVSWeb local policy
#

optional_policy(`
	apache_content_template(cvs)

	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
')