psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master master-docker master_contrib private-master-atomic-policy private-master-migrate-to-var-lib-selinux requires tests
  1.   master_contrib
  2.   cvs.te
Blob Blame History Raw 
policy_module(cvs, 1.9.1)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Determine whether cvs can read shadow
##	password files.
##	</p>
## </desc>
gen_tunable(cvs_read_shadow, false)

type cvs_t;
type cvs_exec_t;
inetd_tcp_service_domain(cvs_t, cvs_exec_t)
application_executable_file(cvs_exec_t)

type cvs_data_t; # customizable
files_type(cvs_data_t)

type cvs_initrc_exec_t;
init_script_file(cvs_initrc_exec_t)

type cvs_tmp_t;
files_tmp_file(cvs_tmp_t)

type cvs_var_run_t;
files_pid_file(cvs_var_run_t)

########################################
#
# Local policy
#

allow cvs_t self:capability { setuid setgid };
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;

manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)

manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file })

manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t)
files_pid_filetrans(cvs_t, cvs_var_run_t, file)

kernel_read_kernel_sysctls(cvs_t)
kernel_read_system_state(cvs_t)
kernel_read_network_state(cvs_t)

corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)

corenet_all_recvfrom_netlabel(cvs_t)
corenet_tcp_sendrecv_generic_if(cvs_t)
corenet_udp_sendrecv_generic_if(cvs_t)
corenet_tcp_sendrecv_generic_node(cvs_t)
corenet_udp_sendrecv_generic_node(cvs_t)
corenet_tcp_sendrecv_all_ports(cvs_t)
corenet_udp_sendrecv_all_ports(cvs_t)

dev_read_urand(cvs_t)

files_read_etc_runtime_files(cvs_t)
files_search_home(cvs_t)

fs_getattr_xattr_fs(cvs_t)

auth_domtrans_chk_passwd(cvs_t)
auth_use_nsswitch(cvs_t)

init_read_utmp(cvs_t)

init_dontaudit_read_utmp(cvs_t)

logging_send_syslog_msg(cvs_t)
logging_send_audit_msgs(cvs_t)

mta_send_mail(cvs_t)

userdom_dontaudit_search_user_home_dirs(cvs_t)

# cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t)
tunable_policy(`cvs_read_shadow',`
	allow cvs_t self:capability dac_override;
	auth_tunable_read_shadow(cvs_t)
')

optional_policy(`
	kerberos_keytab_template(cvs, cvs_t)
	kerberos_read_config(cvs_t)
	kerberos_dontaudit_write_config(cvs_t)
')

########################################
#
# CVSWeb local policy
#

optional_policy(`
	apache_content_template(cvs)

	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
	files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.