[ic] Updated Selinux files ...

Tim Good tim.g at edsd.com
Thu Apr 14 23:32:42 EDT 2005


interchange.fc:    
# interchange shopping cart software

/usr/local/interchange(/.*)?
system_u:object_r:interchange_etc_t
/usr/local/interchange/etc(/.*)?
system_u:object_r:interchange_var_run_t
/usr/local/interchange/bin/.*
system_u:object_r:interchange_exec_t
/usr/local/interchange/error.*               --
system_u:object_r:interchange_log_t
/usr/local/interchange/bin/makecat           --
system_u:object_r:sbin_t
/var/lib/interchange(/.*)?
system_u:object_r:interchange_db_t
/usr/local/interchange/interchange\.cfg      --
system_u:object_r:interchange_etc_t
/usr/local/interchange/etc/socket	-s
system_u:object_r:interchange_var_run_t
/usr/local/interchange/etc/socket\.ipc	-s
system_u:object_r:interchange_var_run_t

interchange.te:

#DESC Interchange - Ecommerce server
#
# Author:  Tim Good <draco at edsd.com>
# X-Debian-Packages: interchange
#

#################################
#
# Rules for the interchange_t domain.
#
# interchange_exec_t is the type of the interchange
executable.
#
daemon_domain(interchange)

allow interchange_t interchange_var_run_t:sock_file
create_file_perms;

etcdir_domain(interchange)
typealias interchange_etc_t alias etc_interchange_t;
type interchange_db_t, file_type, sysadmfile;

log_domain(interchange)

# for temporary tables
tmp_domain(interchange)

allow interchange_t usr_t:file { getattr read };

allow interchange_t { sysctl_t sysctl_kernel_t }:dir search;

allow interchange_t self:fifo_file { ioctl getattr read
write };
allow interchange_t self:unix_stream_socket
create_stream_socket_perms;
allow interchange_t self:unix_dgram_socket { create connect
write getattr };
allow interchange_t self:tcp_socket { connect };
allow initrc_t interchange_t:unix_stream_socket connectto;
allow initrc_t interchange_var_run_t:sock_file write;
allow httpd_sys_script_t interchange_t:unix_stream_socket
connectto;
allow httpd_sys_script_t interchange_var_run_t:sock_file
write;
allow httpd_sys_script_t interchange_etc_t:dir { read search
};
allow httpd_sys_script_t interchange_var_run_t:dir { create
read search };
allow httpd_sys_script_t ld_so_cache_t:file execute;

allow interchange_t ld_so_cache_t:file execute;
allow interchange_t locale_t:file execute;
allow interchange_t interchange_log_t:file { write append
setattr ioctl };

allow interchange_t self:capability { dac_override setgid
setuid };
allow interchange_t self:process getsched;

allow interchange_t proc_t:file { getattr read };
allow interchange_t { bin_t sbin_t home_root_t }:dir  {
getattr read search };
allow interchange_t { bin_t sbin_t }:file { getattr read
execute execute_no_trans };
allow interchange_t { bin_t sbin_t }:lnk_file { getattr read
execute };
allow interchange_t urandom_device_t:chr_file read;

# connect to mysql
ifdef(`mysqld.te', `
can_unix_connect(interchange_t, mysqld_t)
allow interchange_t mysqld_var_run_t:dir search;
allow interchange_t mysqld_var_run_t:sock_file write;
allow interchange_t mysqld_db_t:dir search;
allow interchange_t mysqld_t:unix_stream_socket connectto;
allow interchange_t mysqld_db_t:sock_file rw_file_perms;
allow interchange_t mysqld_var_run_t:sock_file
rw_file_perms;
')

# connect to apache config files for makecat
ifdef(`apache.te', `
allow interchange_t httpd_sys_content_t:dir { read write
add_name remove_name getattr search };
allow interchange_t httpd_sys_content_t:file { create read
write lock unlink getattr setattr ioctl };
allow interchange_t httpd_sys_content_t:lnk_file { read
getattr ioctl };
allow interchange_t httpd_config_t:dir search;
allow interchange_t httpd_config_t:file { read getattr ioctl
};


allow httpd_t interchange_db_t:dir search;
allow httpd_t interchange_db_t:lnk_file { read getattr ioctl
};
')

# Sendmail connections for sending invoices and mailings
allow interchange_t sendmail_exec_t:file { read getattr
execute execute_no_trans };
allow interchange_t var_spool_t:dir { search getattr };
allow interchange_t mqueue_spool_t:dir { search getattr read
write add_name remove_name };
allow interchange_t mqueue_spool_t:file { create getattr
read write lock rename unlink };

# Allow access to the interchange databases
create_dir_file(interchange_t, interchange_db_t)
allow interchange_t var_lib_t:dir { getattr search };

can_network_server(interchange_t)
can_ypbind(interchange_t)

# read config files
r_dir_file(initrc_t, interchange_etc_t)
allow interchange_t { etc_t etc_runtime_t }:{ file lnk_file
} { read getattr };

allow interchange_t sysctl_kernel_t:dir search;
allow interchange_t sysctl_kernel_t:file read;

can_unix_connect(sysadm_t, interchange_t)
can_exec(interchange_t, interchange_exec_t )

ifdef(`logrotate.te', `
r_dir_file(logrotate_t, interchange_etc_t)
allow logrotate_t interchange_db_t:dir search;
allow logrotate_t interchange_var_run_t:dir search;
allow logrotate_t interchange_var_run_t:sock_file write;
can_unix_connect(logrotate_t, interchange_t)
')

ifdef(`daemontools.te', `
domain_auto_trans( svc_run_t, interchange_exec_t,
interchange_t)
allow svc_start_t interchange_t:process signal;
svc_ipc_domain(interchange_t)
')dnl end ifdef daemontools

ifdef(`distro_redhat', `
allow initrc_t interchange_db_t:dir create_dir_perms;

# because Fedora has the sock_file in the database directory
file_type_auto_trans(interchange_t, interchange_db_t,
interchange_var_run_t, sock_file)
')




More information about the interchange-users mailing list