Re: [redhat-lspp] rbac-self-test 0.3

Mon, 22 Jan 2007 16:42:19 -0800 

Cleaned up a little.

Do you really need to look at the aide_db_t?

If so we really should add an interface to aide to allow this.

policy_module(rbacselftest,1.0)

gen_require(`
        type aide_db_t;
')


########################################
#
# Declarations
#

type rbacselftest_t;
type rbacselftest_exec_t;

domain_type(rbacselftest_t)
domain_entry_file(rbacselftest_t,rbacselftest_exec_t)

# rbacselftest database
type rbacselftest_var_run_t;
files_type(rbacselftest_var_run_t)

# rbacselftest etc
type rbacselftest_etc_t;
files_type(rbacselftest_etc_t)

########################################
#
# rbacselftest local policy
#
seutil_use_newrole_fds(rbacselftest_t)

# database actions
# pid file
allow rbacselftest_t rbacselftest_var_run_t:file manage_file_perms;
allow rbacselftest_t rbacselftest_var_run_t:dir rw_dir_perms;
files_pid_filetrans(rbacselftest_t, rbacselftest_var_run_t, { file dir })

# audit
allow rbacselftest_t self:capability {audit_write audit_control};
allow rbacselftest_t self:netlink_audit_socket { create_netlink_socket_perms 
nlmsg_relay };

# aide
allow rbacselftest_t aide_db_t:dir rw_dir_perms;
allow rbacselftest_t aide_db_t:dir create_file_perms;

# binaries
corecmd_exec_bin(rbacselftest_t)
corecmd_exec_shell(rbacselftest_t)

# login
locallogin_use_fds(rbacselftest_t)

########################################
#
# Local policy
#

allow rbacselftest_t self:capability { dac_override fowner };

files_read_all_files(rbacselftest_t)

libs_use_shared_libs(rbacselftest_t)
libs_use_ld_so(rbacselftest_t)



--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp

Reply via email to