Admining rsync does not require running it in the rsync_t domain and
this causes problems for backups and the like which would originally run
in the user's domain now run in rsync_t.
---
rsync.if | 2 --
1 file changed, 2 deletions(-)
diff --git a/rsync.if b/rsync.if
index e916de8..c7b19aa 100644
--- a/rsync.if
+++ b/rsync.if
@@ -276,6 +276,4 @@ interface(`rsync_admin',`
files_search_pids($1)
admin_pattern($1, rsync_var_run_t)
-
- rsync_run($1, $2)
')
--
2.4.6
git_session_t already has these permissions but they are missing on
git_system_t. Instead add the perms on the git_daemon attribute which
covers both system and session daemons.
---
git.te | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/git.te b/git.te
index 1ca8c24..517d513 100644
--- a/git.te
+++ b/git.te
@@ -103,8 +103,6 @@ userdom_user_home_content(git_user_content_t)
# Session policy
#
-allow git_session_t self:tcp_socket { accept listen };
-
userdom_search_user_home_dirs(git_session_t)
corenet_all_recvfrom_netlabel(git_session_t)
@@ -266,6 +264,7 @@ tunable_policy(`git_cgi_use_nfs',`
#
allow git_daemon self:fifo_file rw_fifo_file_perms;
+allow git_daemon self:tcp_socket { accept listen };
list_dirs_pattern(git_daemon, git_user_content_t, git_user_content_t)
read_files_pattern(git_daemon, git_user_content_t, git_user_content_t)
--
2.4.6
---
hadoop.if | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/hadoop.if b/hadoop.if
index a0a819f..5908119 100644
--- a/hadoop.if
+++ b/hadoop.if
@@ -426,7 +426,6 @@ interface(`hadoop_admin',`
attribute hadoop_domain;
attribute hadoop_initrc_domain;
- attribute hadoop_init_script_file;
attribute hadoop_pid_file;
attribute hadoop_lock_file;
attribute hadoop_log_file;
@@ -436,12 +435,22 @@ interface(`hadoop_admin',`
type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t;
type zookeeper_t, zookeeper_etc_t, zookeeper_server_t;
type zookeeper_server_var_t;
+
+ type hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t;
+ type hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t;
+ type hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t;
+ type hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t;
+ type hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t;
')
allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
- init_startstop_service($1, $2, hadoop_domain, hadoop_init_script_file)
+ init_startstop_service($1, $2, hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
--
2.4.6
On Mon, Aug 24, 2015 at 11:10:07PM +0800, Jason Zaman wrote:
> Admining rsync does not require running it in the rsync_t domain and
> this causes problems for backups and the like which would originally run
> in the user's domain now run in rsync_t.
Thanks, merged
> ---
> rsync.if | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/rsync.if b/rsync.if
> index e916de8..c7b19aa 100644
> --- a/rsync.if
> +++ b/rsync.if
> @@ -276,6 +276,4 @@ interface(`rsync_admin',`
>
> files_search_pids($1)
> admin_pattern($1, rsync_var_run_t)
> -
> - rsync_run($1, $2)
> ')
> --
> 2.4.6
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150825/0dcddf4e/attachment.bin
On Mon, Aug 24, 2015 at 11:10:08PM +0800, Jason Zaman wrote:
> git_session_t already has these permissions but they are missing on
> git_system_t. Instead add the perms on the git_daemon attribute which
> covers both system and session daemons.
By default git-daemon as a system service is configured with xinetd. The
way xinetd works is that it basiscally handles networking on git daemons
behalf. I thought i did add support to run git-daemon as a sysv init
system service, and i did but this part was missing indeed.
Thanks, merged.
> ---
> git.te | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/git.te b/git.te
> index 1ca8c24..517d513 100644
> --- a/git.te
> +++ b/git.te
> @@ -103,8 +103,6 @@ userdom_user_home_content(git_user_content_t)
> # Session policy
> #
>
> -allow git_session_t self:tcp_socket { accept listen };
> -
> userdom_search_user_home_dirs(git_session_t)
>
> corenet_all_recvfrom_netlabel(git_session_t)
> @@ -266,6 +264,7 @@ tunable_policy(`git_cgi_use_nfs',`
> #
>
> allow git_daemon self:fifo_file rw_fifo_file_perms;
> +allow git_daemon self:tcp_socket { accept listen };
>
> list_dirs_pattern(git_daemon, git_user_content_t, git_user_content_t)
> read_files_pattern(git_daemon, git_user_content_t, git_user_content_t)
> --
> 2.4.6
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150825/c270b7c8/attachment.bin
On Mon, Aug 24, 2015 at 11:10:09PM +0800, Jason Zaman wrote:
> ---
> hadoop.if | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
Yes that is an unfortunate side effect. CIL can deal with this.
Merged, thanks
>
> diff --git a/hadoop.if b/hadoop.if
> index a0a819f..5908119 100644
> --- a/hadoop.if
> +++ b/hadoop.if
> @@ -426,7 +426,6 @@ interface(`hadoop_admin',`
> attribute hadoop_domain;
> attribute hadoop_initrc_domain;
>
> - attribute hadoop_init_script_file;
> attribute hadoop_pid_file;
> attribute hadoop_lock_file;
> attribute hadoop_log_file;
> @@ -436,12 +435,22 @@ interface(`hadoop_admin',`
> type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t;
> type zookeeper_t, zookeeper_etc_t, zookeeper_server_t;
> type zookeeper_server_var_t;
> +
> + type hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t;
> + type hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t;
> + type hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t;
> + type hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t;
> + type hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t;
> ')
>
> allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
> ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
>
> - init_startstop_service($1, $2, hadoop_domain, hadoop_init_script_file)
> + init_startstop_service($1, $2, hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t)
> + init_startstop_service($1, $2, hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t)
> + init_startstop_service($1, $2, hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t)
> + init_startstop_service($1, $2, hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t)
> + init_startstop_service($1, $2, hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t)
>
> files_search_etc($1)
> admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
> --
> 2.4.6
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150825/e307f8c4/attachment.bin