Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
selinux-policy.817
suse_additions_sslh.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File suse_additions_sslh.patch of Package selinux-policy.817
Index: serefpolicy-contrib-20140730/sslh.fc =================================================================== --- /dev/null +++ serefpolicy-contrib-20140730/sslh.fc @@ -0,0 +1,9 @@ +/etc/conf.d/sslh -- gen_context(system_u:object_r:sslh_conf_t,s0) +/etc/default/sslh -- gen_context(system_u:object_r:sslh_conf_t,s0) + +/etc/init.d/sslh -- gen_context(system_u:object_r:sslh_initrc_exec_t,s0) +/usr/lib/systemd/system/sslh.service -- gen_context(system_u:object_r:sslh_unit_file_t,s0) + +#/usr/sbin/rcsslh -- gen_context(system_u:object_r:sslh_exec_t,s0) +/usr/sbin/sslh -- gen_context(system_u:object_r:sslh_exec_t,s0) + Index: serefpolicy-contrib-20140730/sslh.if =================================================================== --- /dev/null +++ serefpolicy-contrib-20140730/sslh.if @@ -0,0 +1,77 @@ +## <summary>sslh Applicative Protocol Multiplexer</summary> + +####################################### +## <summary> +## Allow a domain to getattr on sslh binary. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sslh_getattr_exec',` + gen_require(` + type sslh_exec_t; + ') + + allow $1 sslh_exec_t:file getattr; +') + +####################################### +## <summary> +## Read sslh configuration. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sslh_read_config',` + gen_require(` + type sslh_conf_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, sslh_conf_t, sslh_conf_t) + read_files_pattern($1, sslh_conf_t, sslh_conf_t) +') + +###################################### +## <summary> +## Write sslh configuration. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sslh_write_config',` + gen_require(` + type sslh_conf_t; + ') + + files_search_etc($1) + write_files_pattern($1, sslh_conf_t, sslh_conf_t) +') + +#################################### +## <summary> +## Manage sslh configuration. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sslh_manage_config',` + gen_require(` + type sslh_conf_t; + ') + + files_search_etc($1) + manage_files_pattern($1, sslh_conf_t, sslh_conf_t) +') Index: serefpolicy-contrib-20140730/sslh.te =================================================================== --- /dev/null +++ serefpolicy-contrib-20140730/sslh.te @@ -0,0 +1,48 @@ +policy_module(sslh, 1.0.0) + +######################################## +# +# Declarations +# + +type sslh_t; +type sslh_exec_t; +init_daemon_domain(sslh_t, sslh_exec_t) + +type sslh_initrc_exec_t; +init_script_file(sslh_initrc_exec_t) + +type sslh_conf_t; +files_config_file(sslh_conf_t) + +type sslh_unit_file_t; +systemd_unit_file(sslh_unit_file_t) + +######################################## +# +# sslh local policy +# + +allow sslh_t self:capability { setuid net_bind_service setgid }; +allow sslh_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +allow sslh_t self:process { setcap signal }; +allow sslh_t self:tcp_socket { getattr setopt bind create listen accept connect write read }; + +corenet_tcp_bind_generic_node(sslh_t) +corenet_tcp_bind_all_ports(sslh_t) +corenet_tcp_connect_all_ports(sslh_t) + +corenet_udp_bind_all_ports(sslh_t) +corenet_udp_send_generic_if(sslh_t) +corenet_udp_receive_generic_if(sslh_t) + +read_files_pattern(sslh_t, sslh_conf_t, sslh_conf_t) + +nscd_shm_use(sslh_t) + +allow sslh_t nscd_var_run_t:file read; + +# dontaudit? +#allow sshd_t chkpwd_t:process { siginh rlimitinh noatsecure }; +#allow sshd_t unconfined_t:process { siginh noatsecure }; +
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor