From: dominick.grift@gmail.com (grift)
Date: Sat, 08 Dec 2012 22:57:54 +0100
Subject: [refpolicy] [PATCH 04/11] Initial policy for makewhatis
In-Reply-To: <1355000222-7297-5-git-send-email-sven.vermeulen@siphos.be>
References: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be>
	<1355000222-7297-5-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1355003874.1797.47.camel@localhost>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  makewhatis.fc |    1 +
>  makewhatis.if |    1 +
>  makewhatis.te |   35 +++++++++++++++++++++++++++++++++++
>  3 files changed, 37 insertions(+), 0 deletions(-)
>  create mode 100644 makewhatis.fc
>  create mode 100644 makewhatis.if
>  create mode 100644 makewhatis.te
> 
> diff --git a/makewhatis.fc b/makewhatis.fc
> new file mode 100644
> index 0000000..5ddf136
> --- /dev/null
> +++ b/makewhatis.fc
> @@ -0,0 +1 @@
> +/usr/sbin/makewhatis	--	gen_context(system_u:object_r:makewhatis_exec_t,s0)

I would rather have the actual cron script labeled and leave this file
generic instead since this policy only supports a domain transition from
crond anyway.

> diff --git a/makewhatis.if b/makewhatis.if
> new file mode 100644
> index 0000000..17d948a
> --- /dev/null
> +++ b/makewhatis.if
> @@ -0,0 +1 @@
> +## <summary>Build whatis database from man pages</summary>
> diff --git a/makewhatis.te b/makewhatis.te
> new file mode 100644
> index 0000000..7c5c356
> --- /dev/null
> +++ b/makewhatis.te
> @@ -0,0 +1,35 @@
> +policy_module(makewhatis, 0.1)
> +
> +type makewhatis_t;
> +type makewhatis_exec_t;
> +application_domain(makewhatis_t, makewhatis_exec_t)
> +
> +type makewhatis_tmp_t;
> +files_tmp_file(makewhatis_tmp_t)
> +
> +####################
> +#
> +# Local policy
> +#
> +
> +allow makewhatis_t self:process getsched;
> +allow makewhatis_t self:unix_stream_socket rw_stream_socket_perms;
> +allow makewhatis_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_files_pattern(makewhatis_t, makewhatis_tmp_t, makewhatis_tmp_t)
> +manage_dirs_pattern(makewhatis_t, makewhatis_tmp_t, makewhatis_tmp_t)
> +files_tmp_filetrans(makewhatis_t, makewhatis_tmp_t, dir)
> +
> +kernel_read_system_state(makewhatis_t)
> +
> +corecmd_exec_bin(makewhatis_t)
> +corecmd_exec_shell(makewhatis_t)
> +
> +auth_use_nsswitch(makewhatis_t)
> +
> +miscfiles_read_localization(makewhatis_t)
> +miscfiles_manage_man_pages(makewhatis_t)
> +
> +optional_policy(`
> +	cron_system_entry(makewhatis_t, makewhatis_exec_t)
> +')