Index: /selinux/build/misc.te =================================================================== --- /selinux/build/misc.te (revision 83) +++ /selinux/build/misc.te (revision 84) @@ -8,4 +8,5 @@ afs_access(user_t); +zephyr_access(user_t); ### AFS ### @@ -16,4 +17,5 @@ afs_access(kernel_t); +zephyr_access(kernel_t); # init.d script sets up cell files: @@ -26,4 +28,6 @@ require { type crond_t, user_cron_spool_t; + type system_crond_t; + type var_log_t; }; @@ -39,4 +43,5 @@ allow user_t crond_t:fifo_file rw_file_perms; allow user_t crond_t:process sigchld; +allow system_crond_t var_log_t:file rw_file_perms; ### SSH ### @@ -60,5 +65,7 @@ afs_access(procmail_t); mta_sendmail_exec(user_t) +mta_sendmail_exec(system_crond_t) can_exec(user_t, sendmail_exec_t) +can_exec(system_crond_t, sendmail_exec_t) allow sendmail_t postfix_local_t:fd use; allow sendmail_t postfix_local_t:fifo_file { getattr write }; Index: /selinux/build/zephyr.fc =================================================================== --- /selinux/build/zephyr.fc (revision 84) +++ /selinux/build/zephyr.fc (revision 84) @@ -0,0 +1,9 @@ +/usr/sbin/zhm -- gen_context(system_u:object_r:zephyr_exec_t,s0) +/usr/bin/zaway -- gen_context(system_u:object_r:zephyr_bin_t,s0) +/usr/bin/zctl -- gen_context(system_u:object_r:zephyr_bin_t,s0) +/usr/bin/zleave -- gen_context(system_u:object_r:zephyr_bin_t,s0) +/usr/bin/zlocate -- gen_context(system_u:object_r:zephyr_bin_t,s0) +/usr/bin/znol -- gen_context(system_u:object_r:zephyr_bin_t,s0) +/usr/bin/zstat -- gen_context(system_u:object_r:zephyr_bin_t,s0) +/usr/bin/zwgc -- gen_context(system_u:object_r:zephyr_bin_t,s0) +/usr/bin/zwrite -- gen_context(system_u:object_r:zephyr_bin_t,s0) Index: /selinux/build/zephyr.if =================================================================== --- /selinux/build/zephyr.if (revision 84) +++ /selinux/build/zephyr.if (revision 84) @@ -0,0 +1,24 @@ +interface(`zephyr_domtrans',` + gen_requires(` + type zephyr_t, zephyr_exec_t; + ') + + domain_auto_trans($1,zephyr_exec_t,zephyr_t) + + allow $1 zephyr_t:fd use; + allow zephyr_t $1:fd use; + allow zephyr_t:$1:fifo_file rw_file_perms; + allow zephyr_t $1:process sigchld; +') + +template(`zephyr_access',` + require { +# type krb5_conf_t; + type zephyr_t, zephyr_bin_t; + } + + allow $1 zephyr_t:udp_socket { read write }; +# allow $1 krb5_conf_t:file read; + can_exec($1, zephyr_t) + can_exec($1, zephyr_bin_t) +') Index: /selinux/build/zephyr.te =================================================================== --- /selinux/build/zephyr.te (revision 84) +++ /selinux/build/zephyr.te (revision 84) @@ -0,0 +1,39 @@ +policy_module(zephyr,1.0.0) + +######################################## +# +# Declarations +# + +type zephyr_t; +type zephyr_bin_t; +type zephyr_exec_t; +domain_type(zephyr_t) +init_daemon_domain(zephyr_t, zephyr_exec_t) + +######################################## +# +# AFS local policy + +files_read_etc_files(zephyr_t) +files_rw_etc_runtime_files(zephyr_t) +libs_use_ld_so(zephyr_t) +libs_use_shared_libs(zephyr_t) +miscfiles_read_localization(zephyr_t) + +# Init script handling +init_use_fds(zephyr_t) +init_use_script_ptys(zephyr_t) +domain_use_interactive_fds(zephyr_t) +term_use_console(zephyr_t) + +allow zephyr_t self:process setsched; +allow zephyr_t self:capability { sys_admin sys_nice sys_tty_config}; + +sysnet_dns_name_resolve(zephyr_t) +corenet_tcp_sendrecv_all_nodes(zephyr_t) +corenet_udp_sendrecv_all_nodes(zephyr_t) +corenet_tcp_sendrecv_all_ports(zephyr_t) +corenet_udp_sendrecv_all_ports(zephyr_t) + +#allow zephyr_bin_t fs_t:filesystem associate;