Merge branch 'master' of github.com:freecoding/foo-scripts

author: toni <toni@devlap.local> 2014-11-25 14:23:20 +0100
committer: toni <toni@devlap.local> 2014-11-25 14:23:20 +0100
commit: b54c3dcb4da34cdb2e9d92516ed965e3a1a157aa (patch)
tree: fdd51a17dbd3a86b402343dcbfb402ee37c6d676 /selinux_pols
parent: 6d5e06e725bf85fd5039619b342bc7491d563c70 (diff)
parent: 99fd112d43bc37104a45df62e37ee33590f701ec (diff)
7 files changed, 153 insertions, 0 deletions
diff --git a/selinux_pols/build_all.sh b/selinux_pols/build_all.sh
new file mode 100755
index 0000000..286cdc8
--- /dev/null
+++ b/selinux_pols/build_all.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+BDIR=$(dirname ${0})
+
+function run_cmd {
+	cmd="${1}"
+	echo "${cmd}"
+	$cmd
+	return $?
+}
+
+echo "$0: building all in $BDIR" >&2
+for file in ${BDIR}/*.te; do
+	echo "* building: $file"
+	fname=$(basename ${file} | sed -e 's/^\(.*\)\.\(.*\)$/\1/g')
+	run_cmd "checkmodule -m -M -o ${BDIR}/${fname}.mod ${BDIR}/${fname}.te"
+	if [ $? -ne 0 ]; then
+		echo "checkmodule: ERROR, next .." >&2
+		continue
+	fi
+	run_cmd "semodule_package -m ${BDIR}/${fname}.mod -o ${BDIR}/${fname}.pp"
+	if [ $? -ne 0 ]; then
+		echo "semodule_package: ERROR, next .." >&2
+		continue
+	fi
+	run_cmd "semodule -i ${BDIR}/${fname}.pp"
+	run_cmd "semodule -e ${fname}"
+done
+
+echo "done."
+exit 0
diff --git a/selinux_pols/dmesg.te b/selinux_pols/dmesg.te
new file mode 100644
index 0000000..dd85723
--- /dev/null
+++ b/selinux_pols/dmesg.te
@@ -0,0 +1,10 @@
+module dmesg 1.0;
+
+require {
+	type dmesg_t;
+	type tty_device_t;
+	class chr_file { read write };
+}
+
+#============= dmesg_t ==============
+allow dmesg_t tty_device_t:chr_file { read write };
diff --git a/selinux_pols/exim.te b/selinux_pols/exim.te
new file mode 100644
index 0000000..9b0cb01
--- /dev/null
+++ b/selinux_pols/exim.te
@@ -0,0 +1,12 @@
+module exim-custom 1.0;
+
+require {
+	type sysctl_crypto_t;
+	type exim_t;
+	class dir search;
+	class file { read getattr open };
+}
+
+#============= exim_t ==============
+allow exim_t sysctl_crypto_t:dir search;
+allow exim_t sysctl_crypto_t:file { read getattr open };
diff --git a/selinux_pols/fuse.te b/selinux_pols/fuse.te
new file mode 100644
index 0000000..510cbe3
--- /dev/null
+++ b/selinux_pols/fuse.te
@@ -0,0 +1,10 @@
+module fuse-custom 1.0;
+
+require {
+	type fuse_device_t;
+	type mount_t;
+	class chr_file { write read };
+}
+
+#============= mount_t ==============
+allow mount_t fuse_device_t:chr_file { write read };
diff --git a/selinux_pols/hald.te b/selinux_pols/hald.te
new file mode 100644
index 0000000..6f40fad
--- /dev/null
+++ b/selinux_pols/hald.te
@@ -0,0 +1,39 @@
+module hald-custom 1.2;
+
+require {
+	type fixed_disk_device_t;
+	type mnt_t;
+	type system_dbusd_t;
+	class blk_file { read ioctl open };
+	class dir { write remove_name add_name };
+	class file { write rename create unlink };
+}
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t fixed_disk_device_t:blk_file { ioctl open };
+#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
+# system_dbusd_var_run_t, system_dbusd_tmp_t, user_home_t, tmp_t, var_run_t
+
+allow system_dbusd_t mnt_t:dir { write remove_name add_name };
+allow system_dbusd_t mnt_t:file { write rename create unlink };
+
+require {
+	type removable_device_t;
+	type event_device_t;
+	type system_dbusd_t;
+	class blk_file { read ioctl open };
+	class chr_file read;
+}
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t event_device_t:chr_file read;
+allow system_dbusd_t removable_device_t:blk_file { read ioctl open };
+
+require {
+	type removable_device_t;
+	type system_dbusd_t;
+	class blk_file { read ioctl open };
+}
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t removable_device_t:blk_file { read ioctl open };
diff --git a/selinux_pols/pulse.te b/selinux_pols/pulse.te
new file mode 100644
index 0000000..6e7672d
--- /dev/null
+++ b/selinux_pols/pulse.te
@@ -0,0 +1,39 @@
+module pulse-custom 1.2;
+
+require {
+	type pulseaudio_t;
+	class sem { read write unix_write };
+}
+
+#============= pulseaudio_t ==============
+allow pulseaudio_t self:sem { read write unix_write };
+
+require {
+	type udev_tbl_t;
+	type pulseaudio_t;
+	class file { read getattr open };
+}
+
+#============= pulseaudio_t ==============
+allow pulseaudio_t udev_tbl_t:file { read getattr open };
+
+require {
+	type pulseaudio_t;
+	class sem destroy;
+}
+
+#============= pulseaudio_t ==============
+allow pulseaudio_t self:sem destroy;
+
+require {
+	type initrc_state_t;
+	type tmpfs_t;
+	type pulseaudio_t;
+	class sem { unix_read create getattr setattr associate };
+	class file { read write getattr open };
+}
+
+#============= pulseaudio_t ==============
+allow pulseaudio_t initrc_state_t:file { read getattr open };
+allow pulseaudio_t self:sem { unix_read create getattr setattr associate };
+allow pulseaudio_t tmpfs_t:file { read write };
diff --git a/selinux_pols/samba.te b/selinux_pols/samba.te
new file mode 100644
index 0000000..b153f83
--- /dev/null
+++ b/selinux_pols/samba.te
@@ -0,0 +1,12 @@
+module samba-custom 1.0;
+
+require {
+	type sysctl_crypto_t;
+	type smbd_t;
+	class dir search;
+	class file { read getattr open };
+}
+
+#============= smbd_t ==============
+allow smbd_t sysctl_crypto_t:dir search;
+allow smbd_t sysctl_crypto_t:file { read getattr open };
author	toni <toni@devlap.local>	2014-11-25 14:23:20 +0100
committer	toni <toni@devlap.local>	2014-11-25 14:23:20 +0100
commit	b54c3dcb4da34cdb2e9d92516ed965e3a1a157aa (patch)
tree	fdd51a17dbd3a86b402343dcbfb402ee37c6d676 /selinux_pols
parent	6d5e06e725bf85fd5039619b342bc7491d563c70 (diff)
parent	99fd112d43bc37104a45df62e37ee33590f701ec (diff)