LinuxLists.cc - [refpolicy] [ Patch 1/1] Implement cobblerd policy.

2010-01-05 11:54:30

Subject: [refpolicy] [ Patch 1/1] Implement cobblerd policy.

Since cobbler write to a bunch of config files, i decided to declare type for these files in /etc. Because i do not want to give cobblerd_t write access to etc_t. Note that these changes can, and probably will, cause things to break. For example libvirt may need to interact with /etc/dnsmasq.conf which was type etc_t but is not dnsmasq_etc_t.

Speaking of dnsmasq; i removed file_read_etc_files for its TE file since the comment suggested it only needs it to read /etc/dnsmasq.conf.

The biggest issue, to me, about cobblerds' policy is how to deal with its web content. Cobblerd_t needs to write to /var/www/cobbler/images and httpd_t needs to write to /var/lib/cobbler/webui_sessions. We cannot depend on apache module. So i decided to label these location public_content_rw_t. This required that the booleans: allow_httpd_anon_write as well as cobbler_anon_write be set to on.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 df59b53... cb8e9fc... M policy/modules/kernel/corenetwork.te.in
:100644 100644 f5b7880... f853bf5... M policy/modules/kernel/files.if
:100644 100644 a898dd8... c1139e4... M policy/modules/services/apache.if
:100644 100644 eb3ccae... 02a2f7d... M policy/modules/services/apache.te
:100644 100644 0bc0189... aef64b7... M policy/modules/services/bind.if
:000000 100644 0000000... aded429... A policy/modules/services/cobbler.fc
:000000 100644 0000000... 61ccf52... A policy/modules/services/cobbler.if
:000000 100644 0000000... a0b7c43... A policy/modules/services/cobbler.te
:100644 100644 51316b4... 8e4d1be... M policy/modules/services/dhcp.if
:100644 100644 a328cea... 89e2e66... M policy/modules/services/dnsmasq.fc
:100644 100644 28c0734... 09e1efd... M policy/modules/services/dnsmasq.if
:100644 100644 a4e478e... edcf106... M policy/modules/services/dnsmasq.te
:100644 100644 299f7a4... 479615b... M policy/modules/services/rsync.fc
:100644 100644 7418196... 7dc8495... M policy/modules/services/rsync.if
:100644 100644 97a6086... ee78a18... M policy/modules/services/rsync.te
:100644 100644 2cbde68... 828b0c3... M policy/modules/services/tftp.if
:100644 100644 6557a8e... 3051ca7... M policy/modules/system/miscfiles.fc
:100644 100644 5a4f576... 0e77e21... M policy/modules/system/sysnetwork.fc
policy/modules/kernel/corenetwork.te.in | 1 +
policy/modules/kernel/files.if | 18 ++++
policy/modules/services/apache.if | 21 ++++
policy/modules/services/apache.te | 4 +
policy/modules/services/bind.if | 38 +++++++
policy/modules/services/cobbler.fc | 6 +
policy/modules/services/cobbler.if | 160 +++++++++++++++++++++++++++++++
policy/modules/services/cobbler.te | 120 +++++++++++++++++++++++
policy/modules/services/dhcp.if | 19 ++++
policy/modules/services/dnsmasq.fc | 1 +
policy/modules/services/dnsmasq.if | 38 +++++++
policy/modules/services/dnsmasq.te | 7 +-
policy/modules/services/rsync.fc | 1 +
policy/modules/services/rsync.if | 38 +++++++
policy/modules/services/rsync.te | 5 +
policy/modules/services/tftp.if | 38 +++++++
policy/modules/system/miscfiles.fc | 3 +
policy/modules/system/sysnetwork.fc | 2 +
18 files changed, 518 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index df59b53..cb8e9fc 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -84,6 +84,7 @@ network_port(certmaster, tcp,51235,s0)
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
+network_port(cobbler, tcp,25151,s0)
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f5b7880..f853bf5 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1504,6 +1504,24 @@ interface(`files_dontaudit_getattr_boot_dirs',`

########################################
## <summary>
+## List the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_boot',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Search the /boot directory.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index a898dd8..c1139e4 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -758,6 +758,27 @@ interface(`apache_domtrans_rotatelogs',`

########################################
## <summary>
+## Allow the specified domain to list
+## apache system content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_list_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t;
+ ')
+
+ list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ files_search_var($1)
+')
+
+########################################
+## <summary>
## Allow the specified domain to manage
## apache system content files.
## </summary>
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index eb3ccae..02a2f7d 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -451,6 +451,10 @@ optional_policy(`
')

optional_policy(`
+ cobbler_search_var_lib(httpd_t)
+')
+
+optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
')

diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 0bc0189..aef64b7 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -2,6 +2,25 @@

########################################
## <summary>
+## Execute bind server in the bind domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+#
+interface(`bind_initrc_domtrans',`
+ gen_require(`
+ type named_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, named_initrc_exec_t)
+')
+
+########################################
+## <summary>
## Execute ndc in the ndc domain.
## </summary>
## <param name="domain">
@@ -192,6 +211,25 @@ interface(`bind_manage_config_dirs',`

########################################
## <summary>
+## Manage BIND zone files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_manage_zone',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, named_zone_t, named_zone_t)
+')
+
+########################################
+## <summary>
## Search the BIND cache directory.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
new file mode 100644
index 0000000..aded429
--- /dev/null
+++ b/policy/modules/services/cobbler.fc
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
+
+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
+/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
new file mode 100644
index 0000000..61ccf52
--- /dev/null
+++ b/policy/modules/services/cobbler.if
@@ -0,0 +1,160 @@
+## <summary>Cobbler installation server.</summary>
+## <desc>
+## <p>
+## Cobbler is a Linux installation server that allows for
+## rapid setup of network installation environments. It
+## glues together and automates many associated Linux
+## tasks so you do not have to hop between lots of various
+## commands and applications when rolling out new systems,
+## and, in some cases, changing existing ones.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## Cobbler log files (leaked fd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_dontaudit_rw_log',`
+ gen_require(`
+ type cobbler_var_log_t;
+ ')
+
+ dontaudit $1 cobbler_var_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read cobbler files in /var/lib
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_read_var_lib_files',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Manage cobbler files in /var/lib
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_manage_var_lib_files',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
+ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Search cobbler dirs in /var/lib
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_search_var_lib',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
+ search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run cobblerd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cobblerd_domtrans',`
+ gen_require(`
+ type cobblerd_t, cobblerd_exec_t;
+ ')
+
+ domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
+')
+
+########################################
+## <summary>
+## Execute cobblerd server in the cobblerd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`cobblerd_initrc_domtrans',`
+ gen_require(`
+ type cobblerd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cobblerd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cobblerd_admin',`
+ gen_require(`
+ type cobblerd_t, cobblerd_var_lib_t, cobblerd_var_log_t;
+ ')
+
+ allow $1 cobblerd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, cobblerd_t, cobblerd_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, cobblerd_var_lib_t)
+
+ files_search_var_log($1)
+ admin_pattern($1, cobblerd_var_log_t)
+
+ cobblerd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cobblerd_initrc_exec_t system_r;
+ allow $2 system_r;
+')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
new file mode 100644
index 0000000..a0b7c43
--- /dev/null
+++ b/policy/modules/services/cobbler.te
@@ -0,0 +1,120 @@
+
+policy_module(cobbler, 1.0.0)
+
+########################################
+#
+# Cobbler personal declarations.
+#
+
+## <desc>
+## <p>
+## Allow Cobbler to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(cobbler_anon_write, false)
+
+type cobblerd_t;
+type cobblerd_exec_t;
+init_daemon_domain(cobblerd_t, cobblerd_exec_t)
+
+type cobblerd_initrc_exec_t;
+init_script_file(cobblerd_initrc_exec_t)
+
+type cobbler_var_log_t;
+logging_log_file(cobbler_var_log_t)
+
+type cobbler_var_lib_t;
+files_type(cobbler_var_lib_t)
+
+########################################
+#
+# Cobbler personal policy.
+#
+
+allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
+allow cobblerd_t self:process { getsched setsched signal };
+allow cobblerd_t self:fifo_file rw_fifo_file_perms;
+allow cobblerd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
+
+append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
+
+corecmd_exec_bin(cobblerd_t)
+corecmd_exec_shell(cobblerd_t)
+
+corenet_all_recvfrom_netlabel(cobblerd_t)
+corenet_all_recvfrom_unlabeled(cobblerd_t)
+corenet_sendrecv_cobbler_server_packets(cobblerd_t)
+corenet_tcp_bind_cobbler_port(cobblerd_t)
+corenet_tcp_bind_generic_node(cobblerd_t)
+corenet_tcp_sendrecv_generic_if(cobblerd_t)
+corenet_tcp_sendrecv_generic_node(cobblerd_t)
+corenet_tcp_sendrecv_generic_port(cobblerd_t)
+
+dev_read_urand(cobblerd_t)
+
+files_read_etc_files(cobblerd_t)
+files_read_usr_files(cobblerd_t)
+
+files_list_boot(cobblerd_t)
+
+files_list_tmp(cobblerd_t)
+
+kernel_read_system_state(cobblerd_t)
+
+miscfiles_read_localization(cobblerd_t)
+miscfiles_read_public_files(cobblerd_t)
+
+sysnet_read_config(cobblerd_t)
+sysnet_rw_dhcp_config(cobblerd_t)
+sysnet_write_config(cobblerd_t)
+
+tunable_policy(`cobbler_anon_write',`
+ miscfiles_manage_public_files(cobblerd_t)
+')
+
+optional_policy(`
+ apache_list_sys_content(cobblerd_t)
+')
+
+optional_policy(`
+ bind_read_config(cobblerd_t)
+ bind_write_config(cobblerd_t)
+ bind_domtrans_ndc(cobblerd_t)
+ bind_domtrans(cobblerd_t)
+ bind_initrc_domtrans(cobblerd_t)
+ bind_manage_zone(cobblerd_t)
+')
+
+optional_policy(`
+ dhcpd_domtrans(cobblerd_t)
+ dhcpd_initrc_domtrans(cobblerd_t)
+')
+
+optional_policy(`
+ dnsmasq_domtrans(cobblerd_t)
+ dnsmasq_initrc_domtrans(cobblerd_t)
+ dnsmasq_write_config(cobblerd_t)
+')
+
+optional_policy(`
+ rpm_exec(cobblerd_t)
+')
+
+optional_policy(`
+ rsync_read_config(cobblerd_t)
+ rsync_write_config(cobblerd_t)
+')
+
+optional_policy(`
+ tftp_manage_tftpdir_dirs(cobblerd_t)
+ tftp_manage_tftpdir_files(cobblerd_t)
+')
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
index 51316b4..8e4d1be 100644
--- a/policy/modules/services/dhcp.if
+++ b/policy/modules/services/dhcp.if
@@ -2,6 +2,25 @@

########################################
## <summary>
+## Transition to dhcpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dhcpd_domtrans',`
+ gen_require(`
+ type dhcpd_t, dhcpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dhcpd_exec_t, dhcpd_t)
+')
+
+########################################
+## <summary>
## Set the attributes of the DCHP
## server state files.
## </summary>
diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
index a328cea..89e2e66 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
@@ -1,3 +1,4 @@
+/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)

/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
index 28c0734..09e1efd 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -136,6 +136,44 @@ interface(`dnsmasq_read_pid_files',`

########################################
## <summary>
+## Read dnsmasq config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_read_config',`
+ gen_require(`
+ type dnsmasq_etc_t;
+ ')
+
+ read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Write to dnsmasq config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_write_config',`
+ gen_require(`
+ type dnsmasq_etc_t;
+ ')
+
+ write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an dnsmasq environment
## </summary>
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index a4e478e..edcf106 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -13,6 +13,9 @@ init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
type dnsmasq_initrc_exec_t;
init_script_file(dnsmasq_initrc_exec_t)

+type dnsmasq_etc_t;
+files_config_file(dnsmasq_etc_t)
+
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)

@@ -34,6 +37,8 @@ allow dnsmasq_t self:udp_socket create_socket_perms;
allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;

+read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+
# dhcp leases
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@@ -66,8 +71,6 @@ dev_read_urand(dnsmasq_t)

domain_use_interactive_fds(dnsmasq_t)

-# allow access to dnsmasq.conf
-files_read_etc_files(dnsmasq_t)
files_read_etc_runtime_files(dnsmasq_t)

fs_getattr_all_fs(dnsmasq_t)
diff --git a/policy/modules/services/rsync.fc b/policy/modules/services/rsync.fc
index 299f7a4..479615b 100644
--- a/policy/modules/services/rsync.fc
+++ b/policy/modules/services/rsync.fc
@@ -1,3 +1,4 @@
+/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)

/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)

diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
index 7418196..7dc8495 100644
--- a/policy/modules/services/rsync.if
+++ b/policy/modules/services/rsync.if
@@ -103,3 +103,41 @@ interface(`rsync_exec',`

can_exec($1, rsync_exec_t)
')
+
+########################################
+## <summary>
+## Read rsync config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed.
+## </summary>
+## </param>
+#
+interface(`rsync_read_config',`
+ gen_require(`
+ type rsync_etc_t;
+ ')
+
+ read_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Write to rsync config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed.
+## </summary>
+## </param>
+#
+interface(`rsync_write_config',`
+ gen_require(`
+ type rsync_etc_t;
+ ')
+
+ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
+')
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 97a6086..ee78a18 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -28,6 +28,9 @@ init_daemon_domain(rsync_t, rsync_exec_t)
application_executable_file(rsync_exec_t)
role system_r types rsync_t;

+type rsync_etc_t;
+files_config_file(rsync_etc_t)
+
type rsync_data_t;
files_type(rsync_data_t)

@@ -57,6 +60,8 @@ allow rsync_t self:udp_socket connected_socket_perms;
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
#end for identd

+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
+
allow rsync_t rsync_data_t:dir list_dir_perms;
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
index 2cbde68..828b0c3 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -2,6 +2,44 @@

########################################
## <summary>
+## Manage tftp /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tftp_manage_tftpdir_dirs',`
+ gen_require(`
+ type tftpdir_rw_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
+
+########################################
+## <summary>
+## Manage tftp /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tftp_manage_tftpdir_files',`
+ gen_require(`
+ type tftpdir_rw_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
+
+########################################
+## <summary>
## Read tftp content
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 6557a8e..3051ca7 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -74,6 +74,9 @@ ifdef(`distro_redhat',`
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)

+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
+/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
+
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)

ifdef(`distro_debian',`
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 5a4f576..0e77e21 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -11,6 +11,8 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)

--
1.6.5.2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100105/192df032/attachment.bin