cvs needs auth_use_nsswitch
Added cvsweb policy from Lubomir Rintel
Added _admin interface
Subject: [PATCH] refpolicy: services_cvs changes
--text follows this line--
--- nsaserefpolicy/policy/modules/services/cvs.fc 2008-06-12 23:25:05.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/cvs.fc 2008-06-30 16:00:10.000000000 -0400
@@ -5,3 +5,6 @@
/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+#CVSWeb file context
+/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
--- nsaserefpolicy/policy/modules/services/cvs.if 2008-06-12 23:25:05.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/cvs.if 2008-06-30 16:04:16.000000000 -0400
@@ -36,3 +36,70 @@
can_exec($1,cvs_exec_t)
')
+
+########################################
+## <summary>
+## Execute cvs server in the cvs domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+#
+interface(`cvs_script_domtrans',`
+ gen_require(`
+ type cvs_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,cvs_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cvs environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the cvs domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the user terminal.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cvs_admin',`
+ gen_require(`
+ type cvs_t, cvs_tmp_t;
+ type cvs_data_t, cvs_var_run_t;
+ type cvs_script_exec_t;
+ ')
+
+ allow $1 cvs_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cvs_t)
+
+ # Allow cvs_t to restart the apache service
+ cvs_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cvs_script_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ manage_all_pattern($1,cvs_tmp_t)
+
+ manage_all_pattern($1,cvs_data_t)
+
+ files_list_pids($1)
+ manage_all_pattern($1,cvs_var_run_t)
+')
+
--- nsaserefpolicy/policy/modules/services/cvs.te 2008-06-12 23:25:05.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/cvs.te 2008-06-30 16:00:42.000000000 -0400
@@ -28,6 +28,9 @@
type cvs_var_run_t;
files_pid_file(cvs_var_run_t)
+type cvs_script_exec_t;
+init_script_type(cvs_script_exec_t)
+
########################################
#
# Local policy
@@ -69,6 +72,7 @@
fs_getattr_xattr_fs(cvs_t)
auth_domtrans_chk_passwd(cvs_t)
+auth_use_nsswitch(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
@@ -86,8 +90,6 @@
miscfiles_read_localization(cvs_t)
-sysnet_read_config(cvs_t)
-
mta_send_mail(cvs_t)
# cjp: typeattribute doesnt work in conditionals yet
@@ -103,10 +105,13 @@
kerberos_dontaudit_write_config(cvs_t)
')
-optional_policy(`
- nis_use_ypbind(cvs_t)
-')
+########################################
+# CVSWeb policy
+
+apache_content_template(cvs)
+
+read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+manage_dirs_pattern(httpd_cvs_script_t_t,cvs_tmp_t,cvs_tmp_t)
+manage_files_pattern(httpd_cvs_script_t,cvs_tmp_t,cvs_tmp_t)
+files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
-optional_policy(`
- nscd_socket_use(cvs_t)
-')
