source: selinux/build/misc.te @ 79

Last change on this file since 79 was 79, checked in by presbrey, 15 years ago
vixie-cron executes as the user under SELinux SELinux policy for afsd and afsagent
File size: 1.2 KB
RevLine 
[28]1policy_module(misc,1.0.0)
2
[79]3### AFS ###
4
5require {
6        type crond_t, kernel_t, sshd_t, user_t, httpd_t;
7        type proc_t;
8}
9afs_access(afsd_t);
10afs_access(crond_t);
11afs_access(httpd_t);
12afs_access(kernel_t);
13afs_access(sshd_t);
14afs_access(user_t);
15
16require {
17        type initrc_t;
18}
19# init.d script sets up cell files:
20allow initrc_t afsd_etc_t:file { setattr write };
21# permit aklog:
22allow user_t proc_t:file write;
23
24### CRON ###
25
26require {
27        type crond_t, user_cron_spool_t;
28        type user_t;
29};
30
31### crond can switch to user_t rather than user_crond_t
32### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
33domain_cron_exemption_target(user_t)
34allow user_t user_cron_spool_t:file entrypoint;
35allow crond_t user_t:process transition;
36dontaudit crond_t user_t:process { noatsecure siginh rlimitinh };
37allow crond_t user_t:fd use;
38allow user_t crond_t:fd use;
39allow user_t crond_t:fifo_file rw_file_perms;
40allow user_t crond_t:process sigchld;
41
42### KRB ###
43
44require {
45        type sshd_t;
46};
47
48### sshd GSSAPI authentication
49kerberos_read_keytab(sshd_t)
50allow user_t kernel_t:key search;
51
52### MAIL ###
53mta_sendmail_exec(user_t)
54can_exec(user_t, sendmail_exec_t)
55
56
57### HTTPD ###
58allow httpd_t self:key all_key_perms;
Note: See TracBrowser for help on using the repository browser.