Changes between Version 5 and Version 6 of RubyCASServer


Ignore:
Timestamp:
Feb 7, 2012 12:03:16 PM (13 years ago)
Author:
brose
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • RubyCASServer

    v5 v6  
    119119}}}
    120120[[BR]]
    121 Note that I disabled SELinux. This should be used only for testing purposes, to generate policy files. Here is an example SELinux policy file that worked for me (but needs a serious cleanup):[[BR]]
     121Note that I disabled SELinux. This should be used only for testing purposes, to generate policy files. Here is an example SELinux policy file that worked for me (but may still be a little lax):[[BR]]
    122122{{{
    123 module rubycasserver 1.0;
     123module cscas 1.1;
    124124
    125125require {
    126         type unconfined_t;
    127         type init_t;
    128         type auditd_t;
    129         type mysqld_t;
    130         type syslogd_t;
    131         type getty_t;
    132         type initrc_t;
    133         type var_log_t;
    134         type tmp_t;
    135         type rpm_script_t;
    136         type mysqld_db_t;
    137         type dhcpc_t;
    138         type local_login_t;
    139         type httpd_tmp_t;
    140         type kernel_t;
    141         type mysqld_var_run_t;
    142         type usr_t;
    143         type postfix_qmgr_t;
    144         type passenger_t;
    145         type postfix_master_t;
    146         type udev_t;
    147         type mysqld_safe_t;
    148         type postfix_pickup_t;
    149         type groupadd_t;
    150         type crond_t;
    151         type rpm_t;
    152         type system_cronjob_t;
    153         type plymouthd_t;
    154         type httpd_t;
    155         type sshd_t;
    156         class unix_stream_socket connectto;
    157         class capability { sys_resource sys_ptrace sys_tty_config };
    158         class tcp_socket listen;
    159         class file { setattr read create write getattr unlink open append };
    160         class sock_file { write getattr setattr create unlink };
    161         class dir { search setattr read create write getattr rmdir remove_name add_name };
     126        type unconfined_t;
     127        type automount_t;
     128        type rpcbind_t;
     129        type passenger_tmp_t;
     130        type var_log_t;
     131        type httpd_t;
     132        type mysqld_port_t;
     133        type rpcd_t;
     134        type passenger_t;
     135        class sock_file { write getattr setattr create unlink };
     136        class tcp_socket { name_connect listen };
     137        class capability { sys_resource sys_ptrace };
     138        class dir { write getattr search add_name };
     139        class file { write getattr setattr read create open append };
    162140}
    163141
    164142#============= httpd_t ==============
    165 allow httpd_t tmp_t:sock_file write;
     143allow httpd_t passenger_tmp_t:dir { write search getattr add_name };
     144allow httpd_t passenger_tmp_t:file { write create open setattr };
     145allow httpd_t passenger_tmp_t:sock_file write;
    166146
    167147#============= passenger_t ==============
    168 allow passenger_t auditd_t:dir { getattr search };
    169 allow passenger_t auditd_t:file { read open };
    170 allow passenger_t crond_t:dir { getattr search };
    171 allow passenger_t crond_t:file { read open };
    172 allow passenger_t dhcpc_t:dir { getattr search };
    173 allow passenger_t dhcpc_t:file { read open };
    174 allow passenger_t getty_t:dir { getattr search };
    175 allow passenger_t getty_t:file { read open };
    176 allow passenger_t groupadd_t:dir { getattr search };
    177 allow passenger_t groupadd_t:file { read open };
     148allow passenger_t automount_t:dir { getattr search };
     149allow passenger_t automount_t:file { read open };
    178150allow passenger_t httpd_t:dir { getattr search };
    179151allow passenger_t httpd_t:file { read open };
    180 allow passenger_t httpd_tmp_t:file { getattr unlink setattr };
    181 allow passenger_t init_t:dir { getattr search };
    182 allow passenger_t init_t:file { read open };
    183 allow passenger_t initrc_t:dir { getattr search };
    184 allow passenger_t initrc_t:file { read open };
    185 allow passenger_t kernel_t:dir { getattr search };
    186 allow passenger_t kernel_t:file { read open };
    187 allow passenger_t local_login_t:dir { getattr search };
    188 allow passenger_t local_login_t:file { read open };
    189 allow passenger_t mysqld_db_t:dir search;
    190 allow passenger_t mysqld_safe_t:dir { getattr search };
    191 allow passenger_t mysqld_safe_t:file { read open };
    192 allow passenger_t mysqld_t:dir { getattr search };
    193 allow passenger_t mysqld_t:file { read open };
    194 allow passenger_t mysqld_t:unix_stream_socket connectto;
    195 allow passenger_t mysqld_var_run_t:sock_file write;
    196 allow passenger_t plymouthd_t:dir { getattr search };
    197 allow passenger_t plymouthd_t:file { read open };
    198 allow passenger_t postfix_master_t:dir { getattr search };
    199 allow passenger_t postfix_master_t:file { read open };
    200 allow passenger_t postfix_pickup_t:dir { getattr search };
    201 allow passenger_t postfix_pickup_t:file { read open };
    202 allow passenger_t postfix_qmgr_t:dir { getattr search };
    203 allow passenger_t postfix_qmgr_t:file { read open };
    204 allow passenger_t rpm_script_t:dir { getattr search };
    205 allow passenger_t rpm_script_t:file { read open };
    206 allow passenger_t rpm_t:dir { search getattr };
    207 allow passenger_t rpm_t:file { read open };
    208 allow passenger_t self:capability { sys_resource sys_ptrace sys_tty_config };
    209 allow passenger_t self:tcp_socket listen;
    210 allow passenger_t sshd_t:dir { getattr search };
    211 allow passenger_t sshd_t:file { read open };
    212 allow passenger_t syslogd_t:dir { getattr search };
    213 allow passenger_t syslogd_t:file { read open };
    214 allow passenger_t system_cronjob_t:dir { getattr search };
    215 allow passenger_t system_cronjob_t:file { read open };
    216 allow passenger_t tmp_t:dir { write rmdir setattr read remove_name create add_name };
    217 allow passenger_t tmp_t:file { write getattr setattr read create unlink open };
    218 allow passenger_t tmp_t:sock_file { write create unlink getattr setattr };
    219 allow passenger_t udev_t:dir { getattr search };
    220 allow passenger_t udev_t:file { read open };
     152allow passenger_t mysqld_port_t:tcp_socket name_connect;
     153allow passenger_t passenger_tmp_t:sock_file { write create unlink getattr setattr };
     154allow passenger_t rpcbind_t:dir { getattr search };
     155allow passenger_t rpcbind_t:file { read open };
     156allow passenger_t rpcd_t:dir { getattr search };
     157allow passenger_t rpcd_t:file { read open };
     158allow passenger_t self:capability { sys_resource sys_ptrace };
    221159allow passenger_t unconfined_t:dir { getattr search };
    222160allow passenger_t unconfined_t:file { read open };
    223 allow passenger_t usr_t:file { read getattr open };
    224161allow passenger_t var_log_t:file { getattr open append };
    225162}}}