From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 09 Feb 2010 08:45:52 -0500 Subject: [refpolicy] [ Patch RETRY 1/1] Implement cobblerd policy. In-Reply-To: <20100105152612.GA24588@localhost.localdomain> References: <20100105152612.GA24588@localhost.localdomain> Message-ID: <1265723152.911.1.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2010-01-05 at 16:26 +0100, Dominick Grift wrote: > My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t. > > Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t. > > As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral. > > Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all. Merged. > Signed-off-by: Dominick Grift > --- > :100644 100644 df59b53... cb8e9fc... M policy/modules/kernel/corenetwork.te.in > :100644 100644 f5b7880... f853bf5... M policy/modules/kernel/files.if > :100644 100644 a898dd8... c1139e4... M policy/modules/services/apache.if > :100644 100644 eb3ccae... 02a2f7d... M policy/modules/services/apache.te > :100644 100644 0bc0189... aef64b7... M policy/modules/services/bind.if > :000000 100644 0000000... 0a811f6... A policy/modules/services/cobbler.fc > :000000 100644 0000000... 433099f... A policy/modules/services/cobbler.if > :000000 100644 0000000... 7e5c614... A policy/modules/services/cobbler.te > :100644 100644 51316b4... 8e4d1be... M policy/modules/services/dhcp.if > :100644 100644 a328cea... 89e2e66... M policy/modules/services/dnsmasq.fc > :100644 100644 28c0734... 09e1efd... M policy/modules/services/dnsmasq.if > :100644 100644 a4e478e... edcf106... M policy/modules/services/dnsmasq.te > :100644 100644 299f7a4... 479615b... M policy/modules/services/rsync.fc > :100644 100644 7418196... 7dc8495... M policy/modules/services/rsync.if > :100644 100644 97a6086... ee78a18... M policy/modules/services/rsync.te > :100644 100644 2cbde68... 828b0c3... M policy/modules/services/tftp.if > :100644 100644 6557a8e... 3051ca7... M policy/modules/system/miscfiles.fc > :100644 100644 5a4f576... 0e77e21... M policy/modules/system/sysnetwork.fc > policy/modules/kernel/corenetwork.te.in | 1 + > policy/modules/kernel/files.if | 18 +++ > policy/modules/services/apache.if | 21 ++++ > policy/modules/services/apache.te | 4 + > policy/modules/services/bind.if | 38 +++++++ > policy/modules/services/cobbler.fc | 7 + > policy/modules/services/cobbler.if | 183 +++++++++++++++++++++++++++++++ > policy/modules/services/cobbler.te | 124 +++++++++++++++++++++ > policy/modules/services/dhcp.if | 19 +++ > policy/modules/services/dnsmasq.fc | 1 + > policy/modules/services/dnsmasq.if | 38 +++++++ > policy/modules/services/dnsmasq.te | 7 +- > policy/modules/services/rsync.fc | 1 + > policy/modules/services/rsync.if | 38 +++++++ > policy/modules/services/rsync.te | 5 + > policy/modules/services/tftp.if | 38 +++++++ > policy/modules/system/miscfiles.fc | 3 + > policy/modules/system/sysnetwork.fc | 2 + > 18 files changed, 546 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in > index df59b53..cb8e9fc 100644 > --- a/policy/modules/kernel/corenetwork.te.in > +++ b/policy/modules/kernel/corenetwork.te.in > @@ -84,6 +84,7 @@ network_port(certmaster, tcp,51235,s0) > network_port(clamd, tcp,3310,s0) > network_port(clockspeed, udp,4041,s0) > network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) > +network_port(cobbler, tcp,25151,s0) > network_port(comsat, udp,512,s0) > network_port(cvs, tcp,2401,s0, udp,2401,s0) > network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if > index f5b7880..f853bf5 100644 > --- a/policy/modules/kernel/files.if > +++ b/policy/modules/kernel/files.if > @@ -1504,6 +1504,24 @@ interface(`files_dontaudit_getattr_boot_dirs',` > > ######################################## > ## > +## List the /boot directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_list_boot',` > + gen_require(` > + type boot_t; > + ') > + > + allow $1 boot_t:dir list_dir_perms; > +') > + > +######################################## > +## > ## Search the /boot directory. > ## > ## > diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if > index a898dd8..c1139e4 100644 > --- a/policy/modules/services/apache.if > +++ b/policy/modules/services/apache.if > @@ -758,6 +758,27 @@ interface(`apache_domtrans_rotatelogs',` > > ######################################## > ## > +## Allow the specified domain to list > +## apache system content files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`apache_list_sys_content',` > + gen_require(` > + type httpd_sys_content_t; > + ') > + > + list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) > + read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) > + files_search_var($1) > +') > + > +######################################## > +## > ## Allow the specified domain to manage > ## apache system content files. > ## > diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te > index eb3ccae..02a2f7d 100644 > --- a/policy/modules/services/apache.te > +++ b/policy/modules/services/apache.te > @@ -451,6 +451,10 @@ optional_policy(` > ') > > optional_policy(` > + cobbler_search_var_lib(httpd_t) > +') > + > +optional_policy(` > cron_system_entry(httpd_t, httpd_exec_t) > ') > > diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if > index 0bc0189..aef64b7 100644 > --- a/policy/modules/services/bind.if > +++ b/policy/modules/services/bind.if > @@ -2,6 +2,25 @@ > > ######################################## > ## > +## Execute bind server in the bind domain. > +## > +## > +## > +## The type of the process performing this action. > +## > +## > +# > +# > +interface(`bind_initrc_domtrans',` > + gen_require(` > + type named_initrc_exec_t; > + ') > + > + init_labeled_script_domtrans($1, named_initrc_exec_t) > +') > + > +######################################## > +## > ## Execute ndc in the ndc domain. > ## > ## > @@ -192,6 +211,25 @@ interface(`bind_manage_config_dirs',` > > ######################################## > ## > +## Manage BIND zone files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`bind_manage_zone',` > + gen_require(` > + type named_zone_t; > + ') > + > + files_search_var($1) > + manage_files_pattern($1, named_zone_t, named_zone_t) > +') > + > +######################################## > +## > ## Search the BIND cache directory. > ## > ## > diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc > new file mode 100644 > index 0000000..0a811f6 > --- /dev/null > +++ b/policy/modules/services/cobbler.fc > @@ -0,0 +1,7 @@ > +/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) > +/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) > + > +/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) > + > +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) > +/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) > diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if > new file mode 100644 > index 0000000..433099f > --- /dev/null > +++ b/policy/modules/services/cobbler.if > @@ -0,0 +1,183 @@ > +## Cobbler installation server. > +## > +##

> +## Cobbler is a Linux installation server that allows for > +## rapid setup of network installation environments. It > +## glues together and automates many associated Linux > +## tasks so you do not have to hop between lots of various > +## commands and applications when rolling out new systems, > +## and, in some cases, changing existing ones. > +##

> +## > + > +######################################## > +## > +## Read Cobbler content in /etc > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cobbler_read_config',` > + gen_require(` > + type cobbler_etc_t; > + ') > + > + read_files_pattern($1, cobbler_etc_t, cobbler_etc_t); > + files_search_etc($1) > +') > + > +######################################## > +## > +## Do not audit attempts to read and write > +## Cobbler log files (leaked fd). > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cobbler_dontaudit_rw_log',` > + gen_require(` > + type cobbler_var_log_t; > + ') > + > + dontaudit $1 cobbler_var_log_t:file rw_file_perms; > +') > + > +######################################## > +## > +## Read cobbler files in /var/lib > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cobbler_read_var_lib_files',` > + gen_require(` > + type cobbler_var_lib_t; > + ') > + > + read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) > + files_search_var_lib($1) > +') > + > +######################################## > +## > +## Manage cobbler files in /var/lib > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cobbler_manage_var_lib_files',` > + gen_require(` > + type cobbler_var_lib_t; > + ') > + > + manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) > + files_search_var_lib($1) > +') > + > +######################################## > +## > +## Search cobbler dirs in /var/lib > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cobbler_search_var_lib',` > + gen_require(` > + type cobbler_var_lib_t; > + ') > + > + search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) > + files_search_var_lib($1) > +') > + > +######################################## > +## > +## Execute a domain transition to run cobblerd. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`cobblerd_domtrans',` > + gen_require(` > + type cobblerd_t, cobblerd_exec_t; > + ') > + > + domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) > +') > + > +######################################## > +## > +## Execute cobblerd server in the cobblerd domain. > +## > +## > +## > +## The type of the process performing this action. > +## > +## > +# > +interface(`cobblerd_initrc_domtrans',` > + gen_require(` > + type cobblerd_initrc_exec_t; > + ') > + > + init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) > +') > + > +######################################## > +## > +## All of the rules required to administrate > +## an cobblerd environment > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`cobblerd_admin',` > + gen_require(` > + type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; > + type cobbler_etc_t; > + ') > + > + allow $1 cobblerd_t:process { ptrace signal_perms getattr }; > + read_files_pattern($1, cobblerd_t, cobblerd_t) > + > + files_search_etc($1) > + admin_pattern($1, cobbler_etc_t) > + > + files_list_var_lib($1) > + admin_pattern($1, cobbler_var_lib_t) > + > + files_search_var_log($1) > + admin_pattern($1, cobbler_var_log_t) > + > + cobblerd_initrc_domtrans($1) > + domain_system_change_exemption($1) > + role_transition $2 cobblerd_initrc_exec_t system_r; > + allow $2 system_r; > +') > diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te > new file mode 100644 > index 0000000..7e5c614 > --- /dev/null > +++ b/policy/modules/services/cobbler.te > @@ -0,0 +1,124 @@ > + > +policy_module(cobbler, 1.0.0) > + > +######################################## > +# > +# Cobbler personal declarations. > +# > + > +## > +##

> +## Allow Cobbler to modify public files > +## used for public file transfer services. > +##

> +## > +gen_tunable(cobbler_anon_write, false) > + > +type cobblerd_t; > +type cobblerd_exec_t; > +init_daemon_domain(cobblerd_t, cobblerd_exec_t) > + > +type cobblerd_initrc_exec_t; > +init_script_file(cobblerd_initrc_exec_t) > + > +type cobbler_etc_t; > +files_config_file(cobbler_etc_t) > + > +type cobbler_var_log_t; > +logging_log_file(cobbler_var_log_t) > + > +type cobbler_var_lib_t; > +files_type(cobbler_var_lib_t) > + > +######################################## > +# > +# Cobbler personal policy. > +# > + > +allow cobblerd_t self:capability { chown dac_override fowner sys_nice }; > +allow cobblerd_t self:process { getsched setsched signal }; > +allow cobblerd_t self:fifo_file rw_fifo_file_perms; > +allow cobblerd_t self:tcp_socket create_stream_socket_perms; > + > +read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) > + > +manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) > +manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) > +files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) > + > +append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) > +create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) > +read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) > +setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) > +logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) > + > +corecmd_exec_bin(cobblerd_t) > +corecmd_exec_shell(cobblerd_t) > + > +corenet_all_recvfrom_netlabel(cobblerd_t) > +corenet_all_recvfrom_unlabeled(cobblerd_t) > +corenet_sendrecv_cobbler_server_packets(cobblerd_t) > +corenet_tcp_bind_cobbler_port(cobblerd_t) > +corenet_tcp_bind_generic_node(cobblerd_t) > +corenet_tcp_sendrecv_generic_if(cobblerd_t) > +corenet_tcp_sendrecv_generic_node(cobblerd_t) > +corenet_tcp_sendrecv_generic_port(cobblerd_t) > + > +dev_read_urand(cobblerd_t) > + > +files_read_usr_files(cobblerd_t) > + > +files_list_boot(cobblerd_t) > + > +files_list_tmp(cobblerd_t) > + > +kernel_read_system_state(cobblerd_t) > + > +miscfiles_read_localization(cobblerd_t) > +miscfiles_read_public_files(cobblerd_t) > + > +sysnet_read_config(cobblerd_t) > +sysnet_rw_dhcp_config(cobblerd_t) > +sysnet_write_config(cobblerd_t) > + > +tunable_policy(`cobbler_anon_write',` > + miscfiles_manage_public_files(cobblerd_t) > +') > + > +optional_policy(` > + apache_list_sys_content(cobblerd_t) > +') > + > +optional_policy(` > + bind_read_config(cobblerd_t) > + bind_write_config(cobblerd_t) > + bind_domtrans_ndc(cobblerd_t) > + bind_domtrans(cobblerd_t) > + bind_initrc_domtrans(cobblerd_t) > + bind_manage_zone(cobblerd_t) > +') > + > +optional_policy(` > + dhcpd_domtrans(cobblerd_t) > + dhcpd_initrc_domtrans(cobblerd_t) > +') > + > +optional_policy(` > + dnsmasq_domtrans(cobblerd_t) > + dnsmasq_initrc_domtrans(cobblerd_t) > + dnsmasq_write_config(cobblerd_t) > +') > + > +optional_policy(` > + rpm_exec(cobblerd_t) > +') > + > +optional_policy(` > + rsync_read_config(cobblerd_t) > + rsync_write_config(cobblerd_t) > +') > + > +optional_policy(` > + tftp_manage_tftpdir_dirs(cobblerd_t) > + tftp_manage_tftpdir_files(cobblerd_t) > +') > diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if > index 51316b4..8e4d1be 100644 > --- a/policy/modules/services/dhcp.if > +++ b/policy/modules/services/dhcp.if > @@ -2,6 +2,25 @@ > > ######################################## > ## > +## Transition to dhcpd. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dhcpd_domtrans',` > + gen_require(` > + type dhcpd_t, dhcpd_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, dhcpd_exec_t, dhcpd_t) > +') > + > +######################################## > +## > ## Set the attributes of the DCHP > ## server state files. > ## > diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc > index a328cea..89e2e66 100644 > --- a/policy/modules/services/dnsmasq.fc > +++ b/policy/modules/services/dnsmasq.fc > @@ -1,3 +1,4 @@ > +/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) > /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) > > /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) > diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if > index 28c0734..09e1efd 100644 > --- a/policy/modules/services/dnsmasq.if > +++ b/policy/modules/services/dnsmasq.if > @@ -136,6 +136,44 @@ interface(`dnsmasq_read_pid_files',` > > ######################################## > ## > +## Read dnsmasq config files. > +## > +## > +## > +## Domain allowed. > +## > +## > +# > +interface(`dnsmasq_read_config',` > + gen_require(` > + type dnsmasq_etc_t; > + ') > + > + read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) > + files_search_etc($1) > +') > + > +######################################## > +## > +## Write to dnsmasq config files. > +## > +## > +## > +## Domain allowed. > +## > +## > +# > +interface(`dnsmasq_write_config',` > + gen_require(` > + type dnsmasq_etc_t; > + ') > + > + write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) > + files_search_etc($1) > +') > + > +######################################## > +## > ## All of the rules required to administrate > ## an dnsmasq environment > ## > diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te > index a4e478e..edcf106 100644 > --- a/policy/modules/services/dnsmasq.te > +++ b/policy/modules/services/dnsmasq.te > @@ -13,6 +13,9 @@ init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) > type dnsmasq_initrc_exec_t; > init_script_file(dnsmasq_initrc_exec_t) > > +type dnsmasq_etc_t; > +files_config_file(dnsmasq_etc_t) > + > type dnsmasq_lease_t; > files_type(dnsmasq_lease_t) > > @@ -34,6 +37,8 @@ allow dnsmasq_t self:udp_socket create_socket_perms; > allow dnsmasq_t self:packet_socket create_socket_perms; > allow dnsmasq_t self:rawip_socket create_socket_perms; > > +read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) > + > # dhcp leases > manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) > files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) > @@ -66,8 +71,6 @@ dev_read_urand(dnsmasq_t) > > domain_use_interactive_fds(dnsmasq_t) > > -# allow access to dnsmasq.conf > -files_read_etc_files(dnsmasq_t) > files_read_etc_runtime_files(dnsmasq_t) > > fs_getattr_all_fs(dnsmasq_t) > diff --git a/policy/modules/services/rsync.fc b/policy/modules/services/rsync.fc > index 299f7a4..479615b 100644 > --- a/policy/modules/services/rsync.fc > +++ b/policy/modules/services/rsync.fc > @@ -1,3 +1,4 @@ > +/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) > > /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) > > diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if > index 7418196..7dc8495 100644 > --- a/policy/modules/services/rsync.if > +++ b/policy/modules/services/rsync.if > @@ -103,3 +103,41 @@ interface(`rsync_exec',` > > can_exec($1, rsync_exec_t) > ') > + > +######################################## > +## > +## Read rsync config files. > +## > +## > +## > +## Domain allowed. > +## > +## > +# > +interface(`rsync_read_config',` > + gen_require(` > + type rsync_etc_t; > + ') > + > + read_files_pattern($1, rsync_etc_t, rsync_etc_t) > + files_search_etc($1) > +') > + > +######################################## > +## > +## Write to rsync config files. > +## > +## > +## > +## Domain allowed. > +## > +## > +# > +interface(`rsync_write_config',` > + gen_require(` > + type rsync_etc_t; > + ') > + > + write_files_pattern($1, rsync_etc_t, rsync_etc_t) > + files_search_etc($1) > +') > diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te > index 97a6086..ee78a18 100644 > --- a/policy/modules/services/rsync.te > +++ b/policy/modules/services/rsync.te > @@ -28,6 +28,9 @@ init_daemon_domain(rsync_t, rsync_exec_t) > application_executable_file(rsync_exec_t) > role system_r types rsync_t; > > +type rsync_etc_t; > +files_config_file(rsync_etc_t) > + > type rsync_data_t; > files_type(rsync_data_t) > > @@ -57,6 +60,8 @@ allow rsync_t self:udp_socket connected_socket_perms; > allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; > #end for identd > > +read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) > + > allow rsync_t rsync_data_t:dir list_dir_perms; > read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) > read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) > diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if > index 2cbde68..828b0c3 100644 > --- a/policy/modules/services/tftp.if > +++ b/policy/modules/services/tftp.if > @@ -2,6 +2,44 @@ > > ######################################## > ## > +## Manage tftp /var/lib files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`tftp_manage_tftpdir_dirs',` > + gen_require(` > + type tftpdir_rw_t; > + ') > + > + files_search_var_lib($1) > + manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) > +') > + > +######################################## > +## > +## Manage tftp /var/lib files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`tftp_manage_tftpdir_files',` > + gen_require(` > + type tftpdir_rw_t; > + ') > + > + files_search_var_lib($1) > + manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) > +') > + > +######################################## > +## > ## Read tftp content > ## > ## > diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc > index 6557a8e..3051ca7 100644 > --- a/policy/modules/system/miscfiles.fc > +++ b/policy/modules/system/miscfiles.fc > @@ -74,6 +74,9 @@ ifdef(`distro_redhat',` > /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) > /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) > > +/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) > +/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) > + > /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) > > ifdef(`distro_debian',` > diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc > index 5a4f576..0e77e21 100644 > --- a/policy/modules/system/sysnetwork.fc > +++ b/policy/modules/system/sysnetwork.fc > @@ -11,6 +11,8 @@ > /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) > /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) > /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) > +/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) > +/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) > /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) > /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150