[ic] Updated Selinux files ...
Tim Good
tim.g at edsd.com
Thu Apr 14 23:32:42 EDT 2005
interchange.fc:
# interchange shopping cart software
/usr/local/interchange(/.*)?
system_u:object_r:interchange_etc_t
/usr/local/interchange/etc(/.*)?
system_u:object_r:interchange_var_run_t
/usr/local/interchange/bin/.*
system_u:object_r:interchange_exec_t
/usr/local/interchange/error.* --
system_u:object_r:interchange_log_t
/usr/local/interchange/bin/makecat --
system_u:object_r:sbin_t
/var/lib/interchange(/.*)?
system_u:object_r:interchange_db_t
/usr/local/interchange/interchange\.cfg --
system_u:object_r:interchange_etc_t
/usr/local/interchange/etc/socket -s
system_u:object_r:interchange_var_run_t
/usr/local/interchange/etc/socket\.ipc -s
system_u:object_r:interchange_var_run_t
interchange.te:
#DESC Interchange - Ecommerce server
#
# Author: Tim Good <draco at edsd.com>
# X-Debian-Packages: interchange
#
#################################
#
# Rules for the interchange_t domain.
#
# interchange_exec_t is the type of the interchange
executable.
#
daemon_domain(interchange)
allow interchange_t interchange_var_run_t:sock_file
create_file_perms;
etcdir_domain(interchange)
typealias interchange_etc_t alias etc_interchange_t;
type interchange_db_t, file_type, sysadmfile;
log_domain(interchange)
# for temporary tables
tmp_domain(interchange)
allow interchange_t usr_t:file { getattr read };
allow interchange_t { sysctl_t sysctl_kernel_t }:dir search;
allow interchange_t self:fifo_file { ioctl getattr read
write };
allow interchange_t self:unix_stream_socket
create_stream_socket_perms;
allow interchange_t self:unix_dgram_socket { create connect
write getattr };
allow interchange_t self:tcp_socket { connect };
allow initrc_t interchange_t:unix_stream_socket connectto;
allow initrc_t interchange_var_run_t:sock_file write;
allow httpd_sys_script_t interchange_t:unix_stream_socket
connectto;
allow httpd_sys_script_t interchange_var_run_t:sock_file
write;
allow httpd_sys_script_t interchange_etc_t:dir { read search
};
allow httpd_sys_script_t interchange_var_run_t:dir { create
read search };
allow httpd_sys_script_t ld_so_cache_t:file execute;
allow interchange_t ld_so_cache_t:file execute;
allow interchange_t locale_t:file execute;
allow interchange_t interchange_log_t:file { write append
setattr ioctl };
allow interchange_t self:capability { dac_override setgid
setuid };
allow interchange_t self:process getsched;
allow interchange_t proc_t:file { getattr read };
allow interchange_t { bin_t sbin_t home_root_t }:dir {
getattr read search };
allow interchange_t { bin_t sbin_t }:file { getattr read
execute execute_no_trans };
allow interchange_t { bin_t sbin_t }:lnk_file { getattr read
execute };
allow interchange_t urandom_device_t:chr_file read;
# connect to mysql
ifdef(`mysqld.te', `
can_unix_connect(interchange_t, mysqld_t)
allow interchange_t mysqld_var_run_t:dir search;
allow interchange_t mysqld_var_run_t:sock_file write;
allow interchange_t mysqld_db_t:dir search;
allow interchange_t mysqld_t:unix_stream_socket connectto;
allow interchange_t mysqld_db_t:sock_file rw_file_perms;
allow interchange_t mysqld_var_run_t:sock_file
rw_file_perms;
')
# connect to apache config files for makecat
ifdef(`apache.te', `
allow interchange_t httpd_sys_content_t:dir { read write
add_name remove_name getattr search };
allow interchange_t httpd_sys_content_t:file { create read
write lock unlink getattr setattr ioctl };
allow interchange_t httpd_sys_content_t:lnk_file { read
getattr ioctl };
allow interchange_t httpd_config_t:dir search;
allow interchange_t httpd_config_t:file { read getattr ioctl
};
allow httpd_t interchange_db_t:dir search;
allow httpd_t interchange_db_t:lnk_file { read getattr ioctl
};
')
# Sendmail connections for sending invoices and mailings
allow interchange_t sendmail_exec_t:file { read getattr
execute execute_no_trans };
allow interchange_t var_spool_t:dir { search getattr };
allow interchange_t mqueue_spool_t:dir { search getattr read
write add_name remove_name };
allow interchange_t mqueue_spool_t:file { create getattr
read write lock rename unlink };
# Allow access to the interchange databases
create_dir_file(interchange_t, interchange_db_t)
allow interchange_t var_lib_t:dir { getattr search };
can_network_server(interchange_t)
can_ypbind(interchange_t)
# read config files
r_dir_file(initrc_t, interchange_etc_t)
allow interchange_t { etc_t etc_runtime_t }:{ file lnk_file
} { read getattr };
allow interchange_t sysctl_kernel_t:dir search;
allow interchange_t sysctl_kernel_t:file read;
can_unix_connect(sysadm_t, interchange_t)
can_exec(interchange_t, interchange_exec_t )
ifdef(`logrotate.te', `
r_dir_file(logrotate_t, interchange_etc_t)
allow logrotate_t interchange_db_t:dir search;
allow logrotate_t interchange_var_run_t:dir search;
allow logrotate_t interchange_var_run_t:sock_file write;
can_unix_connect(logrotate_t, interchange_t)
')
ifdef(`daemontools.te', `
domain_auto_trans( svc_run_t, interchange_exec_t,
interchange_t)
allow svc_start_t interchange_t:process signal;
svc_ipc_domain(interchange_t)
')dnl end ifdef daemontools
ifdef(`distro_redhat', `
allow initrc_t interchange_db_t:dir create_dir_perms;
# because Fedora has the sock_file in the database directory
file_type_auto_trans(interchange_t, interchange_db_t,
interchange_var_run_t, sock_file)
')
More information about the interchange-users
mailing list